From 5306fdab4d0104bf747a683f6e2fcac975dfa590 Mon Sep 17 00:00:00 2001 From: williamlardier Date: Fri, 29 Nov 2024 10:21:49 +0100 Subject: [PATCH] testing only quotas --- tests/ctst/features/README.md | 10 - tests/ctst/features/azureArchive.feature | 351 ----- .../notifications.feature | 183 --- tests/ctst/features/bucketWebsite.feature | 20 - tests/ctst/features/cloudserverAuth.feature | 58 - tests/ctst/features/dmf.feature | 209 --- .../features/iam-policies/AssumeRole.feature | 99 -- .../AssumeRoleWithWebIdentity.feature | 190 --- .../features/iam-policies/IAMUser.feature | 78 - .../iam-policies/backbeatServiceUser.feature | 74 - tests/ctst/features/pra.feature | 92 -- tests/ctst/features/quotas/CountItems.feature | 12 - .../resource-policies/AssumeRole.feature | 1283 ----------------- .../resource-policies/Conditions.feature | 52 - .../CrossAccountAssumeRole.feature | 1283 ----------------- .../resource-policies/IAMUser.feature | 1283 ----------------- .../resource-policies/UseCases.feature | 81 -- .../resource-policies/WebIdentity.feature | 18 - .../ctst/features/resource-policies/regen.js | 184 --- tests/ctst/features/sosapi.feature | 34 - tests/ctst/features/zzz.kafkaCleaner.feature | 10 - 21 files changed, 5604 deletions(-) delete mode 100644 tests/ctst/features/README.md delete mode 100644 tests/ctst/features/azureArchive.feature delete mode 100644 tests/ctst/features/bucket-notifications/notifications.feature delete mode 100644 tests/ctst/features/bucketWebsite.feature delete mode 100644 tests/ctst/features/cloudserverAuth.feature delete mode 100644 tests/ctst/features/dmf.feature delete mode 100644 tests/ctst/features/iam-policies/AssumeRole.feature delete mode 100644 tests/ctst/features/iam-policies/AssumeRoleWithWebIdentity.feature delete mode 100644 tests/ctst/features/iam-policies/IAMUser.feature delete mode 100644 tests/ctst/features/iam-policies/backbeatServiceUser.feature delete mode 100644 tests/ctst/features/pra.feature delete mode 100644 tests/ctst/features/quotas/CountItems.feature delete mode 100644 tests/ctst/features/resource-policies/AssumeRole.feature delete mode 100644 tests/ctst/features/resource-policies/Conditions.feature delete mode 100644 tests/ctst/features/resource-policies/CrossAccountAssumeRole.feature delete mode 100644 tests/ctst/features/resource-policies/IAMUser.feature delete mode 100644 tests/ctst/features/resource-policies/UseCases.feature delete mode 100644 tests/ctst/features/resource-policies/WebIdentity.feature delete mode 100644 tests/ctst/features/resource-policies/regen.js delete mode 100644 tests/ctst/features/sosapi.feature delete mode 100644 tests/ctst/features/zzz.kafkaCleaner.feature diff --git a/tests/ctst/features/README.md b/tests/ctst/features/README.md deleted file mode 100644 index f44de0340f..0000000000 --- a/tests/ctst/features/README.md +++ /dev/null @@ -1,10 +0,0 @@ -# CLI-testing - -## Features folder - -Tests are defined as english sentences under the features/* folder. -Files with type `feature` are written in the `gherkin` format and define a set -of scenarios for one feature, and will use JS scripts to run them dynamically. - -For more information, see -[CucumberJS documentation](https://github.com/cucumber/cucumber-js/blob/main/docs). diff --git a/tests/ctst/features/azureArchive.feature b/tests/ctst/features/azureArchive.feature deleted file mode 100644 index 9839c5fbfd..0000000000 --- a/tests/ctst/features/azureArchive.feature +++ /dev/null @@ -1,351 +0,0 @@ -Feature: Azure Archive - - @2.7.0 - @PreMerge - @Flaky - @AzureArchive - @ColdStorage - Scenario Outline: Archive objects when timeout is reached - Given a "" bucket - And a transition workflow to "e2e-azure-archive" location - And objects "obj" of size bytes - Then object "obj-1" should be "transitioned" and have the storage class "e2e-azure-archive" - And object "obj-2" should be "transitioned" and have the storage class "e2e-azure-archive" - And manifest containing object "obj-1" should "contain" object "obj-2" - And manifest access tier should be valid for object "obj-1" - And tar access tier should be valid for object "obj-1" - - Examples: - | versioningConfiguration | objectCount | objectSize | - | Non versioned | 2 | 100 | - | Versioned | 2 | 100 | - | Suspended | 2 | 100 | - - @2.7.0 - @PreMerge - @Flaky - @AzureArchive - @ColdStorage - Scenario Outline: Archive 0 byte objects - Given a "" bucket - And a transition workflow to "e2e-azure-archive" location - And objects "obj" of size bytes - Then object "obj-1" should be "transitioned" and have the storage class "e2e-azure-archive" - And object "obj-2" should be "transitioned" and have the storage class "e2e-azure-archive" - And object "obj-3" should be "transitioned" and have the storage class "e2e-azure-archive" - - Examples: - | versioningConfiguration | objectCount | objectSize | - | Non versioned | 3 | 0 | - | Versioned | 3 | 0 | - | Suspended | 3 | 0 | - - @2.7.0 - @PreMerge - @Flaky - @AzureArchive - @ColdStorage - Scenario Outline: Create, read, update and delete azure archive location - Given an azure archive location "" - And a "" bucket - And a transition workflow to "" location - And objects "obj" of size bytes - Then object "obj-1" should be "transitioning" and have the storage class "" - And object "obj-2" should be "transitioning" and have the storage class "" - And object "obj-3" should be "transitioning" and have the storage class "" - When i change azure archive location "" container target - Given objects "obj2" of size bytes - Then object "obj2-1" should be "transitioning" and have the storage class "" - And object "obj2-2" should be "transitioning" and have the storage class "" - And object "obj2-3" should be "transitioning" and have the storage class "" - - Examples: - | versioningConfiguration | objectCount | objectSize | locationName | - | Non versioned | 3 | 0 | e2e-azure-archive-2-non-versioned | - | Versioned | 3 | 0 | e2e-azure-archive-2-versioned | - | Suspended | 3 | 0 | e2e-azure-archive-2-suspended | - - @2.7.0 - @PreMerge - @Flaky - @AzureArchive - @ColdStorage - Scenario Outline: Respect maximum number of objects per archived Tar - Given a "" bucket - And a transition workflow to "e2e-azure-archive" location - And objects "obj" of size bytes - Then object "obj-1" should be "transitioned" and have the storage class "e2e-azure-archive" - And object "obj-2" should be "transitioned" and have the storage class "e2e-azure-archive" - And object "obj-3" should be "transitioned" and have the storage class "e2e-azure-archive" - And object "obj-4" should be "transitioned" and have the storage class "e2e-azure-archive" - And object "obj-5" should be "transitioned" and have the storage class "e2e-azure-archive" - And object "obj-6" should be "transitioned" and have the storage class "e2e-azure-archive" - And manifest and tar containing object "obj-1" should exist - And manifest containing object "" should contain objects - And manifest and tar containing object "obj-2" should exist - And manifest containing object "" should contain objects - And manifest and tar containing object "obj-3" should exist - And manifest containing object "" should contain objects - And manifest and tar containing object "obj-4" should exist - And manifest containing object "" should contain objects - And manifest and tar containing object "obj-5" should exist - And manifest containing object "" should contain objects - And manifest and tar containing object "obj-6" should exist - And manifest containing object "" should contain objects - - Examples: - | versioningConfiguration | objectCount | objectSize | packObjectCount | - | Non versioned | 6 | 1 | 3 | - | Versioned | 6 | 1 | 3 | - | Suspended | 6 | 1 | 3 | - - @2.7.0 - @PreMerge - @Flaky - @AzureArchive - @ColdStorage - Scenario Outline: Respect maximum size of an archived Tar - Given a "" bucket - And a transition workflow to "e2e-azure-archive" location - And objects "obj" of size bytes - Then object "obj-1" should be "transitioned" and have the storage class "e2e-azure-archive" - And object "obj-2" should be "transitioned" and have the storage class "e2e-azure-archive" - And manifest and tar containing object "obj-1" should exist - And manifest containing object "" should contain objects - And manifest and tar containing object "obj-2" should exist - And manifest containing object "" should contain objects - - Examples: - | versioningConfiguration | objectCount | objectSize | packObjectCount | - | Non versioned | 2 | 30000 | 1 | - | Versioned | 2 | 30000 | 1 | - | Suspended | 2 | 30000 | 1 | - - @2.7.0 - @PreMerge - @Flaky - @AzureArchive - @ColdStorage - Scenario Outline: Restore an already restored object - Given a "" bucket - And a transition workflow to "e2e-azure-archive" location - And objects "obj" of size bytes - Then object "obj-1" should be "transitioned" and have the storage class "e2e-azure-archive" - And object "obj-2" should be "transitioned" and have the storage class "e2e-azure-archive" - When i restore object "obj-1" for days - And i restore object "obj-2" for days - Then blob for object "obj-1" must be rehydrated - And blob for object "obj-2" must be rehydrated - Then object "obj-1" should be "restored" and have the storage class "e2e-azure-archive" - And object "obj-2" should be "restored" and have the storage class "e2e-azure-archive" - And object "obj-1" should expire in days - And object "obj-2" should expire in days - When i restore object "obj-1" for 30 days - And i restore object "obj-2" for 5 days - Then object "obj-1" should expire in 30 days - And object "obj-2" should expire in 5 days - When i wait for 5 days - Then object "obj-1" should expire in 25 days - And object "obj-2" should be "cold" and have the storage class "e2e-azure-archive" - When i wait for 25 days - Then object "obj-1" should be "cold" and have the storage class "e2e-azure-archive" - - Examples: - | versioningConfiguration | objectCount | objectSize | restoreDays | - | Non versioned | 2 | 100 | 15 | - | Versioned | 2 | 100 | 15 | - | Suspended | 2 | 100 | 15 | - - @2.7.0 - @PreMerge - @Flaky - @AzureArchive - @ColdStorage - Scenario Outline: Restore an object that has already been restored and expired - Given a "" bucket - And a transition workflow to "e2e-azure-archive" location - And objects "obj" of size bytes - Then object "obj-1" should be "transitioned" and have the storage class "e2e-azure-archive" - When i restore object "obj-1" for days - Then blob for object "obj-1" must be rehydrated - Then object "obj-1" should be "restored" and have the storage class "e2e-azure-archive" - And object "obj-1" should expire in days - When i wait for days - Then object "obj-1" should be "cold" and have the storage class "e2e-azure-archive" - Then i restore object "obj-1" for days - Then object "obj-1" should be "restored" and have the storage class "e2e-azure-archive" - And object "obj-1" should expire in days - When i wait for days - Then object "obj-1" should be "cold" and have the storage class "e2e-azure-archive" - - Examples: - | versioningConfiguration | objectCount | objectSize | restoreDays | - | Non versioned | 2 | 100 | 15 | - | Versioned | 2 | 100 | 15 | - | Suspended | 2 | 100 | 15 | - - @2.7.0 - @PreMerge - @Flaky - @AzureArchive - @ColdStorage - Scenario Outline: Restore objects from tar - Given a "" bucket - And a transition workflow to "e2e-azure-archive" location - And objects "obj" of size bytes with user metadata "x-amz-meta-123=456" - And object "obj-2" should have the user metadata with key "x-amz-meta-123" and value "456" - And a tag on object "obj-1" with key "tag1" and value "value1" - And a tag on object "obj-2" with key "tag2" and value "value2" - Then object "obj-1" should be "transitioned" and have the storage class "e2e-azure-archive" - And object "obj-2" should be "transitioned" and have the storage class "e2e-azure-archive" - And manifest containing object "obj-1" should "contain" object "obj-2" - When i restore object "obj-1" for days - Then blob for object "obj-1" must be rehydrated - And blob for object "obj-2" must be rehydrated - Then object "obj-1" should be "restored" and have the storage class "e2e-azure-archive" - And object "obj-1" should expire in days - And object "obj-1" should have the same data - And object "obj-1" should have the tag "tag1" with value "value1" - And object "obj-1" should have the user metadata with key "x-amz-meta-123" and value "456" - When i restore object "obj-2" for days - Then object "obj-2" should be "restored" and have the storage class "e2e-azure-archive" - And object "obj-2" should expire in days - And object "obj-2" should have the same data - And object "obj-2" should have the tag "tag2" with value "value2" - And object "obj-2" should have the user metadata with key "x-amz-meta-123" and value "456" - - When i wait for days - Then object "obj-1" should be "cold" and have the storage class "e2e-azure-archive" - Then object "obj-2" should be "cold" and have the storage class "e2e-azure-archive" - - Examples: - | versioningConfiguration | objectCount | objectSize | restoreDays | - | Non versioned | 2 | 100 | 15 | - | Versioned | 2 | 100 | 15 | - | Suspended | 2 | 100 | 15 | - - - @2.7.0 - @PreMerge - @Flaky - @AzureArchive - @ColdStorage - Scenario Outline: Failed restore objects from tar must be retried and restored - Given a "" bucket - And a transition workflow to "e2e-azure-archive" location - And objects "obj" of size bytes - Then object "obj-1" should be "transitioning" and have the storage class "e2e-azure-archive" - And object "obj-2" should be "transitioning" and have the storage class "e2e-azure-archive" - And manifest containing object "obj-1" should "contain" object "obj-2" - When i restore object "obj-1" for days - Then blob for object "obj-1" fails to rehydrate - And blob for object "obj-2" fails to rehydrate - Then object "obj-1" should be "transitioning" and have the storage class "e2e-azure-archive" - When i run sorbetctl to retry failed restore for "e2e-azure-archive" location - Then object "obj-1" should be "restored" and have the storage class "e2e-azure-archive" - And object "obj-1" should expire in days - And object "obj-1" should have the same data - - Examples: - | versioningConfiguration | objectCount | objectSize | restoreDays | - | Non versioned | 2 | 100 | 5 | - | Versioned | 2 | 100 | 2 | - | Suspended | 2 | 100 | 2 | - - @2.7.0 - @PreMerge - @Flaky - @AzureArchive - Scenario Outline: Pause and resume archiving to azure (PutObject after pause) - Given a "" bucket - And a transition workflow to "e2e-azure-archive" location - And that lifecycle is "paused" for the "e2e-azure-archive" location - And objects "obj" of size bytes - Then the storage class of object "obj-1" must stay "" for seconds - And the storage class of object "obj-2" must stay "" for seconds - Given that lifecycle is "resumed" for the "e2e-azure-archive" location - Then object "obj-1" should be "transitioning" and have the storage class "e2e-azure-archive" - And object "obj-2" should be "transitioning" and have the storage class "e2e-azure-archive" - - Examples: - | versioningConfiguration | objectCount | objectSize | timeout | - | Non versioned | 2 | 30000 | 10 | - | Versioned | 2 | 30000 | 10 | - | Suspended | 2 | 30000 | 10 | - - @2.7.0 - @PreMerge - @Flaky - @AzureArchive - Scenario Outline: Pause and resume archiving to azure (PutObject before pause) - Given a "" bucket - And objects "obj" of size bytes - And a transition workflow to "e2e-azure-archive" location - And that lifecycle is "paused" for the "e2e-azure-archive" location - Then the storage class of object "obj-1" must stay "" for seconds - And the storage class of object "obj-2" must stay "" for seconds - Given that lifecycle is "resumed" for the "e2e-azure-archive" location - Then object "obj-1" should be "transitioning" and have the storage class "e2e-azure-archive" - And object "obj-2" should be "transitioning" and have the storage class "e2e-azure-archive" - - Examples: - | versioningConfiguration | objectCount | objectSize | timeout | - | Non versioned | 2 | 30000 | 10 | - | Versioned | 2 | 30000 | 10 | - | Suspended | 2 | 30000 | 10 | - - @2.7.0 - @PreMerge - @Flaky - @AzureArchive - @ColdStorage - Scenario Outline: Restore notifications are triggered - Given a "" bucket - And one notification destination - And i subscribe to "s3:ObjectRestore:*" notifications for destination 0 - And a transition workflow to "e2e-azure-archive" location - And objects "obj" of size bytes - Then object "obj-1" should be "transitioned" and have the storage class "e2e-azure-archive" - And object "obj-2" should be "transitioned" and have the storage class "e2e-azure-archive" - When i restore object "obj-2" for days - Then i should "receive" a notification for "s3:ObjectRestore:Post" event in destination 0 - And blob for object "obj-2" must be rehydrated - Then object "obj-2" should be "restored" and have the storage class "e2e-azure-archive" - Then i should "receive" a notification for "s3:ObjectRestore:Completed" event in destination 0 - When i wait for days - Then i should "receive" a notification for "s3:ObjectRestore:Delete" event in destination 0 - - Examples: - | versioningConfiguration | objectCount | objectSize | restoreDays | - | Non versioned | 2 | 100 | 15 | - | Versioned | 2 | 100 | 15 | - | Suspended | 2 | 100 | 15 | - - - @2.7.0 - @PreMerge - @Flaky - @AzureArchive - @ColdStorage - Scenario Outline: Cannot add object MD to a transitioned object - Given a "" bucket - And a transition workflow to "e2e-azure-archive" location - And objects "obj" of size bytes - Then object "obj-1" should be "transitioned" and have the storage class "e2e-azure-archive" - Then i "should not" be able to add user metadata to object "obj-1" - When i restore object "obj-1" for 10 days - When i restore object "obj-2" for 10 days - Then blob for object "obj-1" must be rehydrated - Then blob for object "obj-2" must be rehydrated - Then object "obj-1" should be "restored" and have the storage class "e2e-azure-archive" - Then object "obj-2" should be "restored" and have the storage class "e2e-azure-archive" - Then i "should" be able to add user metadata to object "obj-1" - Then i "should" be able to add user metadata to object "obj-2" - Then object "obj-1" should be "transitioned" and have the storage class "e2e-azure-archive" - Then object "obj-2" should be "transitioned" and have the storage class "e2e-azure-archive" - - Examples: - | versioningConfiguration | objectCount | objectSize | packObjectCount | - | Non versioned | 2 | 30000 | 1 | - | Versioned | 2 | 30000 | 1 | - | Suspended | 2 | 30000 | 1 | diff --git a/tests/ctst/features/bucket-notifications/notifications.feature b/tests/ctst/features/bucket-notifications/notifications.feature deleted file mode 100644 index 2a8828cf4a..0000000000 --- a/tests/ctst/features/bucket-notifications/notifications.feature +++ /dev/null @@ -1,183 +0,0 @@ -Feature: Bucket notifications - In order to receive notifications - As an Artesca User - I want to activate notifications - And to subscribe to events I want to be notified on - And to receive notifications on buckets/objects activities I have subscribed to - - @2.6.0 - @PreMerge - @BucketNotification - Scenario Outline: Configure bucket notifications for events - Given a "" bucket - And one notification destination - When i subscribe to "" notifications for destination - Then notifications should be enabled for "" event in destination - - Examples: - | versioningConfiguration | notificationType | destination | - | Non versioned | s3:ObjectCreated:* | 0 | - | Non versioned | s3:ObjectCreated:Put | 0 | - | Non versioned | s3:ObjectCreated:Copy | 0 | - | Non versioned | s3:ObjectRemoved:* | 0 | - | Non versioned | s3:ObjectRemoved:Delete | 0 | - | Non versioned | s3:ObjectTagging:* | 0 | - | Non versioned | s3:ObjectTagging:Put | 0 | - | Non versioned | s3:ObjectTagging:Delete | 0 | - | Non versioned | s3:ObjectAcl:Put | 0 | - | Versioned | s3:ObjectCreated:* | 0 | - | Versioned | s3:ObjectCreated:Put | 0 | - | Versioned | s3:ObjectCreated:Copy | 0 | - | Versioned | s3:ObjectRemoved:* | 0 | - | Versioned | s3:ObjectRemoved:Delete | 0 | - | Versioned | s3:ObjectRemoved:DeleteMarkerCreated| 0 | - | Versioned | s3:ObjectTagging:* | 0 | - | Versioned | s3:ObjectTagging:Put | 0 | - | Versioned | s3:ObjectTagging:Delete | 0 | - | Versioned | s3:ObjectAcl:Put | 0 | - | Versioning suspended | s3:ObjectCreated:* | 0 | - | Versioning suspended | s3:ObjectCreated:Put | 0 | - | Versioning suspended | s3:ObjectCreated:Copy | 0 | - | Versioning suspended | s3:ObjectRemoved:* | 0 | - | Versioning suspended | s3:ObjectRemoved:Delete | 0 | - | Versioning suspended | s3:ObjectRemoved:DeleteMarkerCreated| 0 | - | Versioning suspended | s3:ObjectTagging:* | 0 | - | Versioning suspended | s3:ObjectTagging:Put | 0 | - | Versioning suspended | s3:ObjectTagging:Delete | 0 | - | Versioning suspended | s3:ObjectAcl:Put | 0 | - - @2.6.0 - @PreMerge - @Flaky - @BucketNotification - Scenario Outline: Recieve notification for configured events - Given a "" bucket - And one notification destination - When i subscribe to "" notifications for destination - And a "" event is triggered "" "" - Then i should "" a notification for "" event in destination - - Examples: - | versioningConfiguration | subscribedNotificationType | notificationType | enable | filterType | shouldReceive | destination | - | Non versioned | s3:ObjectCreated:* | s3:ObjectCreated:Put | without | filter | receive | 0 | - | Non versioned | s3:ObjectCreated:* | s3:ObjectCreated:Copy | without | filter | receive | 0 | - | Non versioned | s3:ObjectCreated:Put | s3:ObjectCreated:Put | without | filter | receive | 0 | - | Non versioned | s3:ObjectCreated:Copy | s3:ObjectCreated:Copy | without | filter | receive | 0 | - | Non versioned | s3:ObjectRemoved:* | s3:ObjectRemoved:Delete | without | filter | receive | 0 | - | Non versioned | s3:ObjectRemoved:Delete | s3:ObjectRemoved:Delete | without | filter | receive | 0 | - | Non versioned | s3:ObjectTagging:* | s3:ObjectTagging:Put | without | filter | receive | 0 | - | Non versioned | s3:ObjectTagging:* | s3:ObjectTagging:Delete | without | filter | receive | 0 | - | Non versioned | s3:ObjectTagging:Put | s3:ObjectTagging:Put | without | filter | receive | 0 | - | Non versioned | s3:ObjectTagging:Delete | s3:ObjectTagging:Delete | without | filter | receive | 0 | - | Non versioned | s3:ObjectAcl:Put | s3:ObjectAcl:Put | without | filter | receive | 0 | - | Versioned | s3:ObjectCreated:* | s3:ObjectCreated:Copy | without | filter | receive | 0 | - | Versioned | s3:ObjectCreated:Put | s3:ObjectCreated:Put | without | filter | receive | 0 | - | Versioned | s3:ObjectCreated:Copy | s3:ObjectCreated:Copy | without | filter | receive | 0 | - | Versioned | s3:ObjectRemoved:* | s3:ObjectRemoved:Delete | without | filter | receive | 0 | - | Versioned | s3:ObjectRemoved:* | s3:ObjectRemoved:DeleteMarkerCreated | without | filter | receive | 0 | - | Versioned | s3:ObjectRemoved:Delete | s3:ObjectRemoved:Delete | without | filter | receive | 0 | - | Versioned | s3:ObjectRemoved:DeleteMarkerCreated | s3:ObjectRemoved:DeleteMarkerCreated | without | filter | receive | 0 | - | Versioned | s3:ObjectTagging:* | s3:ObjectTagging:Put | without | filter | receive | 0 | - | Versioned | s3:ObjectTagging:* | s3:ObjectTagging:Delete | without | filter | receive | 0 | - | Versioned | s3:ObjectTagging:Put | s3:ObjectTagging:Put | without | filter | receive | 0 | - | Versioned | s3:ObjectTagging:Delete | s3:ObjectTagging:Delete | without | filter | receive | 0 | - | Versioned | s3:ObjectAcl:Put | s3:ObjectAcl:Put | without | filter | receive | 0 | - | Versioning suspended | s3:ObjectCreated:* | s3:ObjectCreated:Put | without | filter | receive | 0 | - | Versioning suspended | s3:ObjectCreated:* | s3:ObjectCreated:Copy | without | filter | receive | 0 | - | Versioning suspended | s3:ObjectCreated:Put | s3:ObjectCreated:Put | without | filter | receive | 0 | - | Versioning suspended | s3:ObjectCreated:Copy | s3:ObjectCreated:Copy | without | filter | receive | 0 | - | Versioning suspended | s3:ObjectRemoved:* | s3:ObjectRemoved:Delete | without | filter | receive | 0 | - | Versioning suspended | s3:ObjectRemoved:Delete | s3:ObjectRemoved:Delete | without | filter | receive | 0 | - | Versioning suspended | s3:ObjectTagging:* | s3:ObjectTagging:Put | without | filter | receive | 0 | - | Versioning suspended | s3:ObjectTagging:* | s3:ObjectTagging:Delete | without | filter | receive | 0 | - | Versioning suspended | s3:ObjectTagging:Put | s3:ObjectTagging:Put | without | filter | receive | 0 | - | Versioning suspended | s3:ObjectTagging:Delete | s3:ObjectTagging:Delete | without | filter | receive | 0 | - | Versioning suspended | s3:ObjectAcl:Put | s3:ObjectAcl:Put | without | filter | receive | 0 | - - @2.6.0 - @PreMerge - @BucketNotification - Scenario Outline: Not recieving notification for non configured events - Given a "" bucket - And one notification destination - When i subscribe to "" notifications for destination - And i unsubscribe from "" notifications for destination - And a "" event is triggered "" "" - Then i should "" a notification for "" event in destination - - Examples: - | versioningConfiguration | subscribedNotificationType | notificationType | enable | filterType | shouldReceive | destination | - | Non versioned | all | s3:ObjectCreated:Put | without | filter | not receive | 0 | - | Non versioned | all | s3:ObjectCreated:Copy | without | filter | not receive | 0 | - | Non versioned | all | s3:ObjectRemoved:Delete | without | filter | not receive | 0 | - | Non versioned | all | s3:ObjectTagging:Put | without | filter | not receive | 0 | - | Non versioned | all | s3:ObjectTagging:Delete | without | filter | not receive | 0 | - | Non versioned | all | s3:ObjectAcl:Put | without | filter | not receive | 0 | - | Versioned | all | s3:ObjectCreated:Put | without | filter | not receive | 0 | - | Versioned | all | s3:ObjectCreated:Copy | without | filter | not receive | 0 | - | Versioned | all | s3:ObjectRemoved:Delete | without | filter | not receive | 0 | - | Versioned | all | s3:ObjectTagging:Put | without | filter | not receive | 0 | - | Versioned | all | s3:ObjectTagging:Delete | without | filter | not receive | 0 | - | Versioned | all | s3:ObjectAcl:Put | without | filter | not receive | 0 | - | Versioning suspended | all | s3:ObjectCreated:Put | without | filter | not receive | 0 | - | Versioning suspended | all | s3:ObjectCreated:Copy | without | filter | not receive | 0 | - | Versioning suspended | all | s3:ObjectRemoved:Delete | without | filter | not receive | 0 | - | Versioning suspended | all | s3:ObjectTagging:Put | without | filter | not receive | 0 | - | Versioning suspended | all | s3:ObjectTagging:Delete | without | filter | not receive | 0 | - | Versioning suspended | all | s3:ObjectAcl:Put | without | filter | not receive | 0 | - - @2.6.0 - @PreMerge - @Flaky - @BucketNotification - Scenario Outline: Recieve notification for configured events with correct filter - Given a "" bucket - And one notification destination - When i subscribe to "" notifications for destination with "" filter - And a "" event is triggered "" "" - Then i should "" a notification for "" event in destination - - Examples: - | versioningConfiguration | notificationType | enable | filterType | shouldReceive | destination | - | Non versioned | s3:ObjectCreated:Put | with | prefix | receive | 0 | - | Non versioned | s3:ObjectCreated:Put | with | suffix | receive | 0 | - | Non versioned | s3:ObjectCreated:Put | without | prefix | not receive | 0 | - | Non versioned | s3:ObjectCreated:Put | without | suffix | not receive | 0 | - | Non versioned | s3:ObjectCreated:Copy | with | prefix | receive | 0 | - | Non versioned | s3:ObjectCreated:Copy | with | suffix | receive | 0 | - | Non versioned | s3:ObjectCreated:Copy | without | prefix | not receive | 0 | - | Non versioned | s3:ObjectCreated:Copy | without | suffix | not receive | 0 | - | Non versioned | s3:ObjectRemoved:Delete | with | prefix | receive | 0 | - | Non versioned | s3:ObjectRemoved:Delete | with | suffix | receive | 0 | - | Non versioned | s3:ObjectRemoved:Delete | without | prefix | not receive | 0 | - | Non versioned | s3:ObjectRemoved:Delete | without | suffix | not receive | 0 | - | Non versioned | s3:ObjectTagging:Put | with | prefix | receive | 0 | - | Non versioned | s3:ObjectTagging:Put | with | suffix | receive | 0 | - | Non versioned | s3:ObjectTagging:Put | without | prefix | not receive | 0 | - | Non versioned | s3:ObjectTagging:Put | without | suffix | not receive | 0 | - | Non versioned | s3:ObjectTagging:Delete | with | prefix | receive | 0 | - | Non versioned | s3:ObjectTagging:Delete | with | suffix | receive | 0 | - | Non versioned | s3:ObjectTagging:Delete | without | prefix | not receive | 0 | - | Non versioned | s3:ObjectTagging:Delete | without | suffix | not receive | 0 | - | Non versioned | s3:ObjectAcl:Put | with | prefix | receive | 0 | - | Non versioned | s3:ObjectAcl:Put | with | suffix | receive | 0 | - | Non versioned | s3:ObjectAcl:Put | without | prefix | not receive | 0 | - | Non versioned | s3:ObjectAcl:Put | without | suffix | not receive | 0 | - - @2.6.0 - @PreMerge - @Flaky - @BucketNotification - Scenario Outline: Recieve notification in multiple destinations - Given a "" bucket - And two notification destinations - When i subscribe to "" notifications for destination - And i subscribe to "" notifications for destination - And a "" event is triggered "" "" - Then i should "" a notification for "" event in destination - And i should "" a notification for "" event in destination - - Examples: - | versioningConfiguration | subscribedNotificationType | subscribedNotificationTypeSec | triggeredNotif | enable | filterType | shouldReceive | shouldReceiveSec | destination | destinationSec | - | Non versioned | s3:ObjectCreated:Put | s3:ObjectCreated:Put | s3:ObjectCreated:Put | without | filter | receive | receive | 0 | 1 | - | Non versioned | s3:ObjectCreated:Put | s3:ObjectCreated:Copy | s3:ObjectCreated:Put | without | filter | receive | not receive | 0 | 1 | diff --git a/tests/ctst/features/bucketWebsite.feature b/tests/ctst/features/bucketWebsite.feature deleted file mode 100644 index e0b8e0a468..0000000000 --- a/tests/ctst/features/bucketWebsite.feature +++ /dev/null @@ -1,20 +0,0 @@ -Feature: Bucket Websites - - @2.6.0 - @PreMerge - @BucketWebsite - Scenario Outline: Bucket Website CRUD - # The scenario should test that we can put a bucket website configuration on a bucket - # send an index.html - # And also use a pensieve API to add the new endpoint to the list - # Then using the local etc hosts, we should be able to load the html page - Given an existing bucket "website" "" versioning, "without" ObjectLock "without" retention mode - And an index html file - When the user puts the bucket website configuration - And the user creates an S3 Bucket policy granting public read access - And the "" endpoint is added to the overlay - Then the user should be able to load the index.html file from the "" endpoint - - Examples: - | domain | - | mywebsite.com | diff --git a/tests/ctst/features/cloudserverAuth.feature b/tests/ctst/features/cloudserverAuth.feature deleted file mode 100644 index 959a9cbf0a..0000000000 --- a/tests/ctst/features/cloudserverAuth.feature +++ /dev/null @@ -1,58 +0,0 @@ -Feature: AWS S3 Bucket operations - - @2.6.0 - @PreMerge - @Cloudserver-Auth - Scenario: Check Authentication on bucket object lock actions with Vault - Given a IAM_USER type - And an IAM policy attached to the entity "user" with "Allow" effect to perform "CreateBucket" on "*" - And an IAM policy attached to the entity "user" with "" effect to perform "PutBucketObjectLockConfiguration" on "*" - And an IAM policy attached to the entity "user" with "" effect to perform "PutBucketVersioning" on "*" - When the user tries to perform CreateBucket - Then it "" pass Vault authentication - - Examples: - | allow | should | - | Allow | should | - # TODO: reenable after fix CLOUDSERVER-401 - # | Deny | should not | - - - @2.6.0 - @PreMerge - @Cloudserver-Auth - Scenario: Check Authentication on bucket retention actions with Vault - Given an existing bucket "" "without" versioning, "with" ObjectLock "GOVERNANCE" retention mode - And a IAM_USER type - And an IAM policy attached to the entity "user" with "Allow" effect to perform "PutObject" on "*" - And an IAM policy attached to the entity "user" with "Allow" effect to perform "PutObjectRetention" on "*" - And an IAM policy attached to the entity "user" with "" effect to perform "BypassGovernanceRetention" on "*" - And an object "" that "exists" - When the user tries to perform PutObjectRetention "" bypass - Then it "" pass Vault authentication - - Examples: - | allow | should | withBypass | - | Allow | should | with | - | Allow | should not | without | - | Deny | should not | with | - - - @2.6.0 - @PreMerge - @Cloudserver-Auth - Scenario: Check Authentication on DeleteObjects with Vault - Given an existing bucket "" "without" versioning, "without" ObjectLock "without" retention mode - And a IAM_USER type - And an IAM policy attached to the entity "user" with "Allow" effect to perform "PutObject" on "*" - And an IAM policy attached to the entity "user" with "Allow" effect to perform "DeleteObject" on "" - And an IAM policy attached to the entity "user" with "" effect to perform "DeleteObject" on "" - And an object "" that "exists" - And an object "" that "exists" - When the user tries to perform DeleteObjects - Then it "" pass Vault authentication - - Examples: - | bucketName | objName1 | objName2 | resource1 | resource2 | allow | should | - | ca-do-bucket-1 | obj1 | obj2 | ca-do-bucket-1/obj1 | ca-do-bucket-1/obj2 | Allow | should | - | ca-do-bucket-2 | obj1 | obj2 | ca-do-bucket-2/obj1 | ca-do-bucket-2/obj2 | Deny | should not | diff --git a/tests/ctst/features/dmf.feature b/tests/ctst/features/dmf.feature deleted file mode 100644 index 38d4bc7997..0000000000 --- a/tests/ctst/features/dmf.feature +++ /dev/null @@ -1,209 +0,0 @@ -Feature: DMF - - @2.7.0 - @PreMerge - @Dmf - @ColdStorage - Scenario Outline: Deletion of an archived object - Given a "" bucket - And a transition workflow to "e2e-cold" location - And objects "obj" of size bytes - Then object "obj-1" should be "transitioned" and have the storage class "e2e-cold" - And object "obj-2" should be "transitioned" and have the storage class "e2e-cold" - And dmf volume should contain objects - When i delete object "obj-1" - And i delete object "obj-2" - Then dmf volume should contain 0 objects - - Examples: - | versioningConfiguration | objectCount | objectSize | - | Non versioned | 2 | 100 | - | Versioned | 2 | 100 | - | Suspended | 2 | 100 | - - @2.7.0 - @PreMerge - @Dmf - @ColdStorage - @Flaky - Scenario Outline: Retry DMF job/command upon failure - Given a "" bucket - And a flaky backend that will require retries for "" - And a transition workflow to "e2e-cold" location - And objects "obj" of size bytes - Then object "obj-1" should be "transitioned" and have the storage class "e2e-cold" - And object "obj-2" should be "transitioned" and have the storage class "e2e-cold" - When i restore object "obj-1" for 5 days - Then object "obj-1" should be "restored" and have the storage class "e2e-cold" - When i delete object "obj-1" - And i delete object "obj-2" - Then dmf volume should contain 0 objects - - Examples: - | versioningConfiguration | objectCount | objectSize | retryNumber | operation | - | Non versioned | 2 | 100 | 1 | archive | - | Versioned | 2 | 100 | 1 | archive | - | Suspended | 2 | 100 | 1 | archive | - | Non versioned | 2 | 100 | 1 | restore | - | Versioned | 2 | 100 | 1 | restore | - | Suspended | 2 | 100 | 1 | restore | - | Non versioned | 2 | 100 | 1 | command | - | Versioned | 2 | 100 | 1 | command | - | Suspended | 2 | 100 | 1 | command | - - @2.7.0 - @PreMerge - @Dmf - @ColdStorage - Scenario Outline: Deletion of a restored object - Given a "" bucket - And a transition workflow to "e2e-cold" location - And objects "obj" of size bytes - Then object "obj-1" should be "transitioned" and have the storage class "e2e-cold" - And object "obj-2" should be "transitioned" and have the storage class "e2e-cold" - And dmf volume should contain objects - When i restore object "obj-1" for days - Then object "obj-1" should be "restored" and have the storage class "e2e-cold" - When i delete object "obj-1" - And i delete object "obj-2" - Then dmf volume should contain 0 objects - - Examples: - | versioningConfiguration | objectCount | objectSize | restoreDays | - | Non versioned | 2 | 100 | 1 | - | Versioned | 2 | 100 | 1 | - | Suspended | 2 | 100 | 1 | - - @2.7.0 - @PreMerge - @Dmf - @ColdStorage - Scenario Outline: Overwriting of a cold object - Given a "" bucket - And a transition workflow to "e2e-cold" location - And objects "obj" of size bytes - Then object "obj-1" should be "transitioned" and have the storage class "e2e-cold" - And dmf volume should contain objects - Given objects "obj" of size bytes - Then object "obj-1" should be "transitioned" and have the storage class "e2e-cold" - Then dmf volume should contain 1 objects - - Examples: - | versioningConfiguration | objectCount | objectSize | - | Non versioned | 1 | 100 | - | Suspended | 1 | 100 | - - @2.7.0 - @PreMerge - @Dmf - @ColdStorage - Scenario Outline: Overwriting of a cold object with mpu - Given a "" bucket - And a transition workflow to "e2e-cold" location - And objects "obj" of size bytes - Then object "obj-1" should be "transitioned" and have the storage class "e2e-cold" - And dmf volume should contain objects - Given mpu objects "obj" of size bytes - Then object "obj-1" should be "transitioned" and have the storage class "e2e-cold" - And dmf volume should contain 1 objects - - Examples: - | versioningConfiguration | objectCount | objectSize | - | Non versioned | 1 | 100 | - | Suspended | 1 | 100 | - - @2.7.0 - @PreMerge - @Dmf - @ColdStorage - Scenario Outline: Overwriting of a cold object with copyObject - Given a "" bucket - And a transition workflow to "e2e-cold" location - And 2 objects "obj" of size bytes - Then object "obj-1" should be "transitioned" and have the storage class "e2e-cold" - And object "obj-2" should be "transitioned" and have the storage class "e2e-cold" - And dmf volume should contain 2 objects - When i restore object "obj-1" for 5 days - Then object "obj-1" should be "restored" and have the storage class "e2e-cold" - Given "obj-1" is copied to "obj-2" - Then object "obj-2" should be "transitioned" and have the storage class "e2e-cold" - And dmf volume should contain 2 objects - - Examples: - | versioningConfiguration | objectSize | - | Non versioned | 100 | - | Suspended | 100 | - - @2.7.0 - @PreMerge - @Dmf - @ColdStorage - Scenario Outline: Overwriting of a cold object with mpu - Given a "" bucket - And a transition workflow to "e2e-cold" location - And objects "obj" of size bytes - Then object "obj-1" should be "transitioned" and have the storage class "e2e-cold" - And dmf volume should contain objects - Given mpu objects "obj" of size bytes - Then object "obj-1" should be "transitioned" and have the storage class "e2e-cold" - And dmf volume should contain 1 objects - - Examples: - | versioningConfiguration | objectCount | objectSize | - | Non versioned | 1 | 100 | - | Suspended | 1 | 100 | - - @2.7.0 - @PreMerge - @Dmf - @ColdStorage - Scenario Outline: Overwriting of a cold object with copyObject - Given a "" bucket - And a transition workflow to "e2e-cold" location - And 2 objects "obj" of size bytes - Then object "obj-1" should be "transitioned" and have the storage class "e2e-cold" - And object "obj-2" should be "transitioned" and have the storage class "e2e-cold" - And dmf volume should contain 2 objects - When i restore object "obj-1" for 5 days - Then object "obj-1" should be "restored" and have the storage class "e2e-cold" - Given "obj-1" is copied to "obj-2" - Then object "obj-2" should be "transitioned" and have the storage class "e2e-cold" - And dmf volume should contain 2 objects - - Examples: - | versioningConfiguration | objectSize | - | Non versioned | 100 | - | Suspended | 100 | - - @2.7.0 - @PreMerge - @Flaky - @Dmf - @ColdStorage - Scenario Outline: Restore an already restored object - Given a "" bucket - And a transition workflow to "e2e-cold" location - And objects "obj" of size bytes - Then object "obj-1" should be "transitioned" and have the storage class "e2e-cold" - And object "obj-2" should be "transitioned" and have the storage class "e2e-cold" - When i restore object "obj-1" for days - And i restore object "obj-2" for days - Then object "obj-1" should be "restored" and have the storage class "e2e-cold" - And object "obj-2" should be "restored" and have the storage class "e2e-cold" - And object "obj-1" should expire in days - And object "obj-2" should expire in days - When i restore object "obj-1" for 30 days - And i restore object "obj-2" for 5 days - Then object "obj-1" should expire in 30 days - And object "obj-2" should expire in 5 days - When i wait for 5 days - Then object "obj-1" should expire in 25 days - And object "obj-2" should be "cold" and have the storage class "e2e-cold" - When i wait for 25 days - Then object "obj-1" should be "cold" and have the storage class "e2e-cold" - - Examples: - | versioningConfiguration | objectCount | objectSize | restoreDays | - | Non versioned | 2 | 100 | 15 | - | Versioned | 2 | 100 | 15 | - | Suspended | 2 | 100 | 15 | diff --git a/tests/ctst/features/iam-policies/AssumeRole.feature b/tests/ctst/features/iam-policies/AssumeRole.feature deleted file mode 100644 index 77d3ad95c9..0000000000 --- a/tests/ctst/features/iam-policies/AssumeRole.feature +++ /dev/null @@ -1,99 +0,0 @@ -Feature: IAM Policies for Assume Role Session Users - This feature allows you to create and attach IAM policies for IAM users. - IAM users should have the permissions to perform the actions that they are granted in their IAM policies. - - - @2.6.0 - @PreMerge - @IamPoliciesAssumeRole - Scenario Outline: Assume Role User is not authorized to perform the actions with no IAM policy attached to the role - Given an existing bucket "" "without" versioning, "without" ObjectLock "" retention mode - And an object "" that "" - And a "" AssumeRole user - When the user tries to perform "" on the bucket - Then the user should receive "AccessDenied" error - - Examples: - | action | objectExists | ifCrossAccount | - | MetadataSearch | does not exist | | - | MetadataSearch | does not exist | cross account | - | GetObject | exists | | - | GetObject | exists | cross account | - - @2.6.0 - @PreMerge - @IamPoliciesAssumeRole - Scenario Outline: Assume Role User is authorized to perform the actions if the IAM policies that attached to the role have the right permission - Given an existing bucket "" "without" versioning, "without" ObjectLock "" retention mode - And an object "" that "" - And a "" AssumeRole user - And an IAM policy attached to the entity "role" with "Allow" effect to perform "" on "" - When the user tries to perform "" on the bucket - Then the user should be able to perform successfully the "" action - - Examples: - | action | resource | bucketName | objectExists | objectName | ifCrossAccount | - | MetadataSearch | * | | does not exist | | | - | MetadataSearch | * | | does not exist | | cross account | - | GetObject | * | | exists | | | - | GetObject | * | | exists | | cross account | - | MetadataSearch | ar-md-bucket1 | ar-md-bucket1 | does not exist | | | - | MetadataSearch | ar-md-bucket2 | ar-md-bucket2 | does not exist | | cross account | - | GetObject | ar-go-bucket1/* | ar-go-bucket1 | exists | | | - | GetObject | ar-go-bucket2/* | ar-go-bucket2 | exists | | cross account | - | GetObject | ar-go-bucket3/go-object | ar-go-bucket3 | exists | go-object | | - | GetObject | ar-go-bucket4/go-object | ar-go-bucket4 | exists | go-object | cross account | - - @2.6.0 - @PreMerge - @IamPoliciesAssumeRole - Scenario Outline: Assume Role User is not authorized to perform the actions on the resource when they don't have permissions for or explicitly denied in the IAM policies that attached the role that the User assumed - Given an existing bucket "" "without" versioning, "without" ObjectLock "" retention mode - And an object "" that "" - And a "" AssumeRole user - And an IAM policy attached to the entity "role" with "" effect to perform "" on "" - When the user tries to perform "" on the bucket - Then the user should receive "AccessDenied" error - - Examples: - | action | effect | resource | bucketName | objectExists | objectName | ifCrossAccount | - | MetadataSearch | Allow | ar-md-bucket3-1 | ar-md-bucket3 | does not exist | | | - | MetadataSearch | Allow | ar-md-bucket4-1 | ar-md-bucket4 | does not exist | | cross account | - | MetadataSearch | Deny | * | | does not exist | | | - | MetadataSearch | Deny | * | | does not exist | | cross account | - | MetadataSearch | Deny | ar-md-bucket5 | ar-md-bucket5 | does not exist | | | - | MetadataSearch | Deny | ar-md-bucket6 | ar-md-bucket6 | does not exist | | cross account | - | GetObject | Allow | ar-go-bucket5-1/* | ar-go-bucket5 | exists | | | - | GetObject | Allow | ar-go-bucket6-1/* | ar-go-bucket6 | exists | | cross account | - | GetObject | Allow | ar-go-bucket7/go-object1 | ar-go-bucket7 | exists | go-object | | - | GetObject | Allow | ar-go-bucket8/go-object1 | ar-go-bucket8 | exists | go-object | cross account | - | GetObject | Deny | * | ar-go-bucket9 | exists | | | - | GetObject | Deny | * | ar-go-bucket10 | exists | | cross account | - | GetObject | Deny | ar-go-bucket11/* | ar-go-bucket11 | exists | | | - | GetObject | Deny | ar-go-bucket12/* | ar-go-bucket12 | exists | | cross account | - | GetObject | Deny | ar-go-bucket13/go-object | ar-go-bucket13 | exists | go-object | | - | GetObject | Deny | ar-go-bucket14/go-object | ar-go-bucket14 | exists | go-object | cross account | - - @2.6.0 - @PreMerge - @IamPoliciesAssumeRole - Scenario Outline: Assume Role User is not authorized to perform the actions on the resource if Allow and Denied are both specified in the IAM policies that attached to the role the User assumed - Given an existing bucket "" "without" versioning, "without" ObjectLock "" retention mode - And an object "" that "" - And a "" AssumeRole user - And an IAM policy attached to the entity "role" with "Allow" effect to perform "" on "" - And an IAM policy attached to the entity "role" with "Deny" effect to perform "" on "" - When the user tries to perform "" on the bucket - Then the user should receive "AccessDenied" error - Examples: - | action | resource | bucketName | objectExists | objectName | ifCrossAccount | - | MetadataSearch | * | ar-md-bucket7 | does not exist | | | - | MetadataSearch | * | ar-md-bucket8 | does not exist | | cross account | - | MetadataSearch | ar-md-bucket9 | ar-md-bucket9 | does not exist | | | - | MetadataSearch | ar-md-bucket10 | ar-md-bucket10 | does not exist | | cross account | - | GetObject | * | ar-go-bucket15 | exists | | | - | GetObject | * | ar-go-bucket16 | exists | | cross account | - | GetObject | ar-go-bucket17/* | ar-go-bucket17 | exists | | | - | GetObject | ar-go-bucket18/* | ar-go-bucket18 | exists | | cross account | - | GetObject | ar-go-bucket19/go-object | ar-go-bucket19 | exists | go-object | | - | GetObject | ar-go-bucket20/go-object | ar-go-bucket20 | exists | go-object | cross account | diff --git a/tests/ctst/features/iam-policies/AssumeRoleWithWebIdentity.feature b/tests/ctst/features/iam-policies/AssumeRoleWithWebIdentity.feature deleted file mode 100644 index 68d9c035ee..0000000000 --- a/tests/ctst/features/iam-policies/AssumeRoleWithWebIdentity.feature +++ /dev/null @@ -1,190 +0,0 @@ -Feature: Assume Role with Web Identity - In order to interact with restricted APIs - As an Artesca User - I want to use a web identity - And to succeed in accessing the API - - @2.6.0 - @PreMerge - @IAM-Policies-ARWWI - Scenario Outline: Assume Role with Web Identity - Given an existing bucket "" "" versioning, "without" ObjectLock "without" retention mode - And an object "" that "" - And a type - When the user tries to perform "" on the bucket - Then the user should be able to perform successfully the "" action - - Examples: - | action | type | withVersioning | objectExists | - | MetadataSearch | STORAGE_MANAGER | without | does not exist | - | PutObject | STORAGE_MANAGER | without | exists | - | PutObjectAcl | STORAGE_MANAGER | without | exists | - | GetObject | STORAGE_MANAGER | without | exists | - | GetObject | STORAGE_MANAGER | with | exists | - | GetObjectAcl | STORAGE_MANAGER | without | exists | - | DeleteObject | STORAGE_MANAGER | without | exists | - | DeleteObject | STORAGE_MANAGER | with | exists | - | GetBucketVersioning | STORAGE_MANAGER | with | does not exist | - | GetBucketAcl | STORAGE_MANAGER | without | does not exist | - | ListObjectsV2 | STORAGE_MANAGER | without | exists | - | ListObjectVersions | STORAGE_MANAGER | with | exists | - | DeleteObjects | STORAGE_MANAGER | without | exists | - | HeadObject | STORAGE_MANAGER | without | exists | - | CopyObject | STORAGE_MANAGER | without | exists | - | GetObjectTagging | STORAGE_MANAGER | without | exists | - | GetObjectTagging | STORAGE_MANAGER | with | exists | - | PutObjectTagging | STORAGE_MANAGER | without | exists | - | PutBucketLifecycleConfiguration | STORAGE_MANAGER | without | does not exist | - | GetObjectTagging | STORAGE_MANAGER | with | exists | - | DeleteObjectTagging | STORAGE_MANAGER | with | exists | - | DeleteObjectTagging | STORAGE_MANAGER | without | exists | - | PutObjectTagging | STORAGE_MANAGER | without | exists | - | PutObjectTagging | STORAGE_MANAGER | with | exists | - | GetObjectAcl | STORAGE_MANAGER | with | exists | - | GetObjectAcl | STORAGE_MANAGER | without | exists | - | PutObjectAcl | STORAGE_MANAGER | with | exists | - | PutObjectAcl | STORAGE_MANAGER | without | exists | - | PutBucketTagging | STORAGE_MANAGER | without | does not exist | - | DeleteBucketTagging | STORAGE_MANAGER | without | does not exist | - | PutBucketReplication | STORAGE_MANAGER | with | does not exist | - | MetadataSearch | STORAGE_ACCOUNT_OWNER | without | does not exist | - | PutObject | STORAGE_ACCOUNT_OWNER | without | exists | - | PutObjectAcl | STORAGE_ACCOUNT_OWNER | without | exists | - | GetObject | STORAGE_ACCOUNT_OWNER | without | exists | - | GetObject | STORAGE_ACCOUNT_OWNER | with | exists | - | GetObjectAcl | STORAGE_ACCOUNT_OWNER | without | exists | - | DeleteObject | STORAGE_ACCOUNT_OWNER | without | exists | - | DeleteObject | STORAGE_ACCOUNT_OWNER | with | exists | - | GetBucketVersioning | STORAGE_ACCOUNT_OWNER | with | does not exist | - | GetBucketAcl | STORAGE_ACCOUNT_OWNER | without | does not exist | - | ListObjectsV2 | STORAGE_ACCOUNT_OWNER | without | exists | - | ListObjectVersions | STORAGE_ACCOUNT_OWNER | with | exists | - | DeleteObjects | STORAGE_ACCOUNT_OWNER | without | exists | - | HeadObject | STORAGE_ACCOUNT_OWNER | without | exists | - | CopyObject | STORAGE_ACCOUNT_OWNER | without | exists | - | GetObjectTagging | STORAGE_ACCOUNT_OWNER | without | exists | - | GetObjectTagging | STORAGE_ACCOUNT_OWNER | with | exists | - | PutObjectTagging | STORAGE_ACCOUNT_OWNER | without | exists | - | PutBucketLifecycleConfiguration | STORAGE_ACCOUNT_OWNER | without | does not exist | - | GetObject | STORAGE_ACCOUNT_OWNER | with | exists | - | GetObjectTagging | STORAGE_ACCOUNT_OWNER | with | exists | - | DeleteObjectTagging | STORAGE_ACCOUNT_OWNER | with | exists | - | DeleteObjectTagging | STORAGE_ACCOUNT_OWNER | without | exists | - | PutObjectTagging | STORAGE_ACCOUNT_OWNER | without | exists | - | PutObjectTagging | STORAGE_ACCOUNT_OWNER | with | exists | - | GetObjectAcl | STORAGE_ACCOUNT_OWNER | with | exists | - | GetObjectAcl | STORAGE_ACCOUNT_OWNER | without | exists | - | PutObjectAcl | STORAGE_ACCOUNT_OWNER | with | exists | - | PutObjectAcl | STORAGE_ACCOUNT_OWNER | without | exists | - | PutObjectAcl | STORAGE_ACCOUNT_OWNER | with | exists | - | PutBucketTagging | STORAGE_ACCOUNT_OWNER | without | does not exist | - | DeleteBucketTagging | STORAGE_ACCOUNT_OWNER | without | does not exist | - | PutBucketReplication | STORAGE_ACCOUNT_OWNER | with | does not exist | - | MetadataSearch | DATA_CONSUMER | without | does not exist | - | PutObject | DATA_CONSUMER | without | exists | - | PutObjectAcl | DATA_CONSUMER | without | exists | - | GetObject | DATA_CONSUMER | without | exists | - | GetObject | DATA_CONSUMER | with | exists | - | GetObjectAcl | DATA_CONSUMER | without | exists | - | DeleteObject | DATA_CONSUMER | without | exists | - | DeleteObject | DATA_CONSUMER | with | exists | - | GetBucketVersioning | DATA_CONSUMER | with | does not exist | - | GetBucketAcl | DATA_CONSUMER | without | does not exist | - | ListObjectsV2 | DATA_CONSUMER | without | exists | - | ListObjectVersions | DATA_CONSUMER | with | exists | - | DeleteObjects | DATA_CONSUMER | without | exists | - | HeadObject | DATA_CONSUMER | without | exists | - | CopyObject | DATA_CONSUMER | without | exists | - | GetObjectTagging | DATA_CONSUMER | without | exists | - | GetObjectTagging | DATA_CONSUMER | with | exists | - | PutObjectTagging | DATA_CONSUMER | without | exists | - | PutBucketLifecycleConfiguration | DATA_CONSUMER | without | does not exist | - | GetObject | DATA_CONSUMER | with | exists | - | GetObjectTagging | DATA_CONSUMER | with | exists | - | DeleteObjectTagging | DATA_CONSUMER | with | exists | - | DeleteObjectTagging | DATA_CONSUMER | without | exists | - | PutObjectTagging | DATA_CONSUMER | without | exists | - | PutObjectTagging | DATA_CONSUMER | with | exists | - | GetObjectAcl | DATA_CONSUMER | with | exists | - | GetObjectAcl | DATA_CONSUMER | without | exists | - | PutObjectAcl | DATA_CONSUMER | with | exists | - | PutObjectAcl | DATA_CONSUMER | without | exists | - | PutBucketTagging | DATA_CONSUMER | without | does not exist | - | DeleteBucketTagging | DATA_CONSUMER | without | does not exist | - | PutBucketReplication | DATA_CONSUMER | with | does not exist | - - - @2.6.0 - @PreMerge - @IAM-Policies-ARWWI - Scenario Outline: Assume Role with Web Identity bucket setting tests - Given an existing bucket "" "" versioning, "without" ObjectLock "without" retention mode - And an object "" that "" - And a type - When the user tries to perform "" on the bucket - Then the user should receive "" error - - Examples: - | action | type | withVersioning | objectExists | error | - | RestoreObject | STORAGE_MANAGER | with | exists | InvalidObjectState | - | GetBucketCors | STORAGE_MANAGER | without | does not exist | NoSuchCORSConfiguration | - | GetObjectLockConfiguration | STORAGE_MANAGER | without | exists | ObjectLockConfigurationNotFoundError | - | GetObjectRetention | STORAGE_MANAGER | with | exists | Bucket is missing Object Lock Configuration | - | GetObjectLegalHold | STORAGE_MANAGER | with | exists | Bucket is missing Object Lock Configuration | - | PutObjectRetention | STORAGE_MANAGER | with | exists | Bucket is missing Object Lock Configuration | - | PutObjectLegalHold | STORAGE_MANAGER | with | exists | Bucket is missing Object Lock Configuration | - | GetBucketReplication | STORAGE_MANAGER | without | does not exist | ReplicationConfigurationNotFoundError | - | GetBucketLifecycleConfiguration | STORAGE_MANAGER | without | does not exist | NoSuchLifecycleConfiguration | - | GetObjectRetention | STORAGE_MANAGER | with | exists | Bucket is missing Object Lock Configuration | - | GetObjectLegalHold | STORAGE_MANAGER | with | exists | Bucket is missing Object Lock Configuration | - | PutObjectRetention | STORAGE_MANAGER | with | exists | Bucket is missing Object Lock Configuration | - | PutObjectLegalHold | STORAGE_MANAGER | with | exists | Bucket is missing Object Lock Configuration | - | GetBucketTagging | STORAGE_MANAGER | without | does not exist | NoSuchTagSet | - | PutObjectLockConfiguration | STORAGE_MANAGER | without | exists | InvalidBucketState | - | RestoreObject | STORAGE_ACCOUNT_OWNER | with | exists | InvalidObjectState | - | GetBucketCors | STORAGE_ACCOUNT_OWNER | without | does not exist | NoSuchCORSConfiguration | - | GetObjectLockConfiguration | STORAGE_ACCOUNT_OWNER | without | exists | ObjectLockConfigurationNotFoundError | - | GetObjectRetention | STORAGE_ACCOUNT_OWNER | with | exists | Bucket is missing Object Lock Configuration | - | GetObjectLegalHold | STORAGE_ACCOUNT_OWNER | with | exists | Bucket is missing Object Lock Configuration | - | PutObjectRetention | STORAGE_ACCOUNT_OWNER | with | exists | Bucket is missing Object Lock Configuration | - | PutObjectLegalHold | STORAGE_ACCOUNT_OWNER | with | exists | Bucket is missing Object Lock Configuration | - | GetBucketReplication | STORAGE_ACCOUNT_OWNER | without | does not exist | ReplicationConfigurationNotFoundError | - | GetBucketLifecycleConfiguration | STORAGE_ACCOUNT_OWNER | without | does not exist | NoSuchLifecycleConfiguration | - | GetObjectRetention | STORAGE_ACCOUNT_OWNER | with | exists | Bucket is missing Object Lock Configuration | - | GetObjectLegalHold | STORAGE_ACCOUNT_OWNER | with | exists | Bucket is missing Object Lock Configuration | - | PutObjectRetention | STORAGE_ACCOUNT_OWNER | with | exists | Bucket is missing Object Lock Configuration | - | PutObjectLegalHold | STORAGE_ACCOUNT_OWNER | with | exists | Bucket is missing Object Lock Configuration | - | GetBucketTagging | STORAGE_ACCOUNT_OWNER | without | does not exist | NoSuchTagSet | - | PutObjectLockConfiguration | STORAGE_ACCOUNT_OWNER | without | exists | InvalidBucketState | - | RestoreObject | DATA_CONSUMER | with | exists | InvalidObjectState | - | GetBucketCors | DATA_CONSUMER | without | does not exist | NoSuchCORSConfiguration | - | GetObjectLockConfiguration | DATA_CONSUMER | without | exists | ObjectLockConfigurationNotFoundError | - | GetObjectRetention | DATA_CONSUMER | with | exists | Bucket is missing Object Lock Configuration | - | GetObjectLegalHold | DATA_CONSUMER | with | exists | Bucket is missing Object Lock Configuration | - | PutObjectRetention | DATA_CONSUMER | with | exists | Bucket is missing Object Lock Configuration | - | PutObjectLegalHold | DATA_CONSUMER | with | exists | Bucket is missing Object Lock Configuration | - | GetBucketReplication | DATA_CONSUMER | without | does not exist | ReplicationConfigurationNotFoundError | - | GetBucketLifecycleConfiguration | DATA_CONSUMER | without | does not exist | NoSuchLifecycleConfiguration | - | GetObjectRetention | DATA_CONSUMER | with | exists | Bucket is missing Object Lock Configuration | - | GetObjectLegalHold | DATA_CONSUMER | with | exists | Bucket is missing Object Lock Configuration | - | PutObjectRetention | DATA_CONSUMER | with | exists | Bucket is missing Object Lock Configuration | - | PutObjectLegalHold | DATA_CONSUMER | with | exists | Bucket is missing Object Lock Configuration | - | GetBucketTagging | DATA_CONSUMER | without | does not exist | NoSuchTagSet | - | PutObjectLockConfiguration | DATA_CONSUMER | without | exists | InvalidBucketState | - - - @2.6.0 - @PreMerge - @IAM-Policies-ARWWI - Scenario Outline: Data Consumer with Web Identity cannot perform these bucket actions - Given an existing bucket "" "" versioning, "without" ObjectLock "without" retention mode - And an object "" that "" - And a DATA_CONSUMER type - When the user tries to perform "" on the bucket - Then the user should receive "AccessDenied" error - - Examples: - | action | withVersioning | objectExists | - | CreateBucket | with | does not exist | - | DeleteBucket | with | does not exist | - | PutBucketVersioning | with | does not exist | diff --git a/tests/ctst/features/iam-policies/IAMUser.feature b/tests/ctst/features/iam-policies/IAMUser.feature deleted file mode 100644 index 0c74521755..0000000000 --- a/tests/ctst/features/iam-policies/IAMUser.feature +++ /dev/null @@ -1,78 +0,0 @@ -Feature: IAM Policies for IAM Users - This feature allows you to create and attach IAM policies for IAM users. - IAM users should have the permissions to perform the actions that they are granted in their IAM policies. - - @2.6.0 - @PreMerge - @IamPoliciesIamUsers - Scenario Outline: User is not authorized to perform the actions without IAM policy - Given an existing bucket "" "without" versioning, "without" ObjectLock "" retention mode - And an object "" that "" - And a IAM_USER type - When the user tries to perform "" on the bucket - Then the user should receive "AccessDenied" error - - Examples: - | action | objectExists | - | MetadataSearch | does not exist | - | GetObject | exists | - - @2.6.0 - @PreMerge - @IamPoliciesIamUsers - Scenario Outline: User is authorized to perform the actions that are granted in the IAM policy - Given an existing bucket "" "without" versioning, "without" ObjectLock "" retention mode - And an object "" that "" - And a IAM_USER type - And an IAM policy attached to the entity "user" with "Allow" effect to perform "" on "" - When the user tries to perform "" on the bucket - Then the user should be able to perform successfully the "" action - - Examples: - | action | resource | bucketName | objectExists | objectName | - | MetadataSearch | * | | does not exist | | - | GetObject | * | | exists | | - | MetadataSearch | iu-md-bucket1 | iu-md-bucket1 | does not exist | | - | GetObject | iu-go-bucket1/* | iu-go-bucket1 | exists | | - | GetObject | iu-go-bucket2/go-object | iu-go-bucket2 | exists | go-object | - - @2.6.0 - @PreMerge - @IamPoliciesIamUsers - Scenario Outline: User is not authorized to perform the actions on the resource that they don't have permissions for or explicitly denied - Given an existing bucket "" "without" versioning, "without" ObjectLock "" retention mode - And an object "" that "" - And a IAM_USER type - And an IAM policy attached to the entity "user" with "" effect to perform "" on "" - When the user tries to perform "" on the bucket - Then the user should receive "AccessDenied" error - - Examples: - | action | effect | resource | bucketName | objectExists | objectName | - | MetadataSearch | Allow | iu-md-bucket3-1 | iu-md-bucket3 | does not exist | | - | MetadataSearch | Deny | * | | does not exist | | - | MetadataSearch | Deny | iu-md-bucket4 | iu-md-bucket4 | does not exist | | - | GetObject | Allow | iu-go-bucket3-1/* | iu-go-bucket3 | exists | | - | GetObject | Allow | iu-go-bucket4/go-object1 | iu-go-bucket4 | exists | go-object | - | GetObject | Deny | * | iu-go-bucket5 | exists | | - | GetObject | Deny | iu-go-bucket6/* | iu-go-bucket6 | exists | | - | GetObject | Deny | iu-go-bucket7/go-object | iu-go-bucket7 | exists | go-object | - - @2.6.0 - @PreMerge - @IamPoliciesIamUsers - Scenario Outline: User is not authorized to perform the actions on the resource when Allow and Denied are both specified - Given an existing bucket "" "without" versioning, "without" ObjectLock "" retention mode - And an object "" that "" - And a IAM_USER type - And an IAM policy attached to the entity "user" with "Allow" effect to perform "" on "" - And an IAM policy attached to the entity "user" with "Deny" effect to perform "" on "" - When the user tries to perform "" on the bucket - Then the user should receive "AccessDenied" error - Examples: - | action | resource | bucketName | objectExists | objectName | - | MetadataSearch | * | iu-md-bucket5 | does not exist | | - | MetadataSearch | iu-md-bucket6 | iu-md-bucket6 | does not exist | | - | GetObject | * | iu-go-bucket8 | exists | | - | GetObject | iu-go-bucket9/* | iu-go-bucket9 | exists | | - | GetObject | iu-go-bucket10/go-object | iu-go-bucket10 | exists | go-object | diff --git a/tests/ctst/features/iam-policies/backbeatServiceUser.feature b/tests/ctst/features/iam-policies/backbeatServiceUser.feature deleted file mode 100644 index 361d5cc832..0000000000 --- a/tests/ctst/features/iam-policies/backbeatServiceUser.feature +++ /dev/null @@ -1,74 +0,0 @@ -Feature: IAM Policies for Backbeat Service Users - As a backbeat service user, - I want to have specific permissions to perform S3 actions for data replication and expiration - So that I can effectively manage data within the system. - - - @2.6.0 - @PreMerge - @IamPoliciesBackbeatServiceUser - Scenario Outline: Backbeat Service Users are authorized to perform the actions and get success response - Given an existing bucket "" "" versioning, "without" ObjectLock "" retention mode - And an object "" that "" - And a service user "" assuming the role "" of a user account - When the user tries to perform "" on the bucket - Then the user should be able to perform successfully the "" action - - Examples: - | action | withVersioning | objectExists | serviceUserName | roleName | - | GetBucketVersioning | with | does not exist | backbeat-lifecycle-bp-1 | backbeat-lifecycle-bp-1 | - | ListObjects | with | exists | backbeat-lifecycle-bp-1 | backbeat-lifecycle-bp-1 | - | ListMultipartUploads | with | exists | backbeat-lifecycle-bp-1 | backbeat-lifecycle-bp-1 | - | GetObjectTagging | without | exists | backbeat-lifecycle-bp-1 | backbeat-lifecycle-bp-1 | - | GetObjectTagging | with | exists | backbeat-lifecycle-bp-1 | backbeat-lifecycle-bp-1 | - | GetObject | without | exists | backbeat-lifecycle-bp-1 | backbeat-lifecycle-bp-1 | - | GetObject | with | exists | backbeat-lifecycle-bp-1 | backbeat-lifecycle-bp-1 | - | GetObject | without | exists | backbeat-lifecycle-op-1 | backbeat-lifecycle-op-1 | - | GetObject | with | exists | backbeat-lifecycle-op-1 | backbeat-lifecycle-op-1 | - | DeleteObject | without | exists | backbeat-lifecycle-op-1 | backbeat-lifecycle-op-1 | - | DeleteObject | with | exists | backbeat-lifecycle-op-1 | backbeat-lifecycle-op-1 | - | AbortMultipartUpload | with | exists | backbeat-lifecycle-op-1 | backbeat-lifecycle-op-1 | - | GetObject | without | exists | sorbet-fwd-2 | cold-storage-archive-role-2 | - | GetObject | with | exists | sorbet-fwd-2 | cold-storage-archive-role-2 | - | GetObject | without | exists | sorbet-fwd-2 | cold-storage-restore-role-2 | - | GetObject | with | exists | sorbet-fwd-2 | cold-storage-restore-role-2 | - - @2.6.0 - @PreMerge - @IamPoliciesBackbeatServiceUser - Scenario Outline: Backbeat Service Users are authorized to perform the actions and get expected error response - Given an existing bucket "" "" versioning, "without" ObjectLock "" retention mode - And an object "" that "" - And a service user "" assuming the role "" of a user account - When the user tries to perform "" on the bucket - Then the user should receive "" error - - Examples: - | action | withVersioning | objectExists | serviceUserName | roleName | expectedError | - | GetBucketLifecycleConfiguration | with | does not exist | backbeat-lifecycle-bp-1 | backbeat-lifecycle-bp-1 | NoSuchLifecycleConfiguration | - | PutObjectVersion | with | exists | sorbet-fwd-2 | cold-storage-restore-role-2 | InvalidObjectState | - - @2.6.0 - @PreMerge - @IamPoliciesBackbeatServiceUser - Scenario Outline: Backbeat Service Users are authorized to perform the actions - Given a service user "" assuming the role "" of an internal service account - When the user tries to perform vault auth "" - Then the user should be able to perform successfully the "" action - - Examples: - | action | serviceUserName | roleName | - | GetAccountInfo | backbeat-qp-1 | backbeat-qp-1 | - | GetAccountInfo | backbeat-lifecycle-conductor-1 | backbeat-lifecycle-conductor-1 | - - @2.6.0 - @PreMerge - @IamPoliciesBackbeatServiceUser - Scenario Outline: Backbeat Service Users are not authorized to perform the actions - Given a service user "" assuming the role "" of a user account - When the user tries to perform vault auth "" - Then the user should not be able to perform the "" action - - Examples: - | action | serviceUserName | roleName | - | GetAccountInfo | backbeat-lifecycle-conductor-1 | backbeat-lifecycle-conductor-1 | diff --git a/tests/ctst/features/pra.feature b/tests/ctst/features/pra.feature deleted file mode 100644 index 0199b137b2..0000000000 --- a/tests/ctst/features/pra.feature +++ /dev/null @@ -1,92 +0,0 @@ -Feature: PRA operations - - @2.6.0 - @PreMerge - @Dmf - @PRA - @ColdStorage - Scenario Outline: PRA (nominal case) - # Prepare objects in the primary site - Given a "" bucket - And a transition workflow to "e2e-cold" location - And objects "obj" of size bytes on "Primary" site - Then object "obj-1" should be "transitioned" and have the storage class "e2e-cold" - And object "obj-2" should be "transitioned" and have the storage class "e2e-cold" - And dmf volume should contain objects - - # Deploy PRA - Given a DR installed - Then the DR source should be in phase "Running" - And the DR sink should be in phase "Running" - And the kafka DR volume exists - And prometheus should scrap federated metrics from DR sink - - # Check that objects are transitioned in the DR site - Given access keys for the replicated account - - Then object "obj-1" should "" be "transitioned" and have the storage class "e2e-cold" on "DR" site - And object "obj-2" should "" be "transitioned" and have the storage class "e2e-cold" on "DR" site - - # Test again the transition workflow - Given objects "obj2" of size bytes on "Pimary" site - Then object "obj2-1" should "" be "transitioned" and have the storage class "e2e-cold" on "Primary" site - And object "obj2-2" should "" be "transitioned" and have the storage class "e2e-cold" on "Primary" site - Then object "obj2-1" should "" be "transitioned" and have the storage class "e2e-cold" on "DR" site - And object "obj2-2" should "" be "transitioned" and have the storage class "e2e-cold" on "DR" site - When i restore object "obj-1" for 2 days on "Primary" site - Then object "obj-1" should "" be "restored" and have the storage class "e2e-cold" on "Primary" site - And object "obj-1" should "" be "transitioned" and have the storage class "e2e-cold" on "DR" site - - # Test the readonly - When the "vault-check-seeds" cronjobs completes without error on "Primary" site - And the DATA_ACCESSOR user tries to perform PutObject on "DR" site - Then it "should not" pass Vault authentication - - # Switch to failover - When I request the failover state for the DR - Then the DR sink should be in phase "Failover" - - # Restore on DR site - When i restore object "obj2-1" for 200000 days on "DR" site - Then object "obj2-1" should "" be "restored" and have the storage class "e2e-cold" on "DR" site - And object "obj2-1" should "" be "transitioned" and have the storage class "e2e-cold" on "Primary" site - - # Switch to failback - When I resume operations for the DR - Then the DR sink should be in phase "Running" - And object "obj2-1" should "" be "transitioned" and have the storage class "e2e-cold" on "DR" site - - # Pause / Resume DR - When I pause the DR - Then the DR source should be in phase "Paused" - - Given objects "obj3" of size bytes on "Pimary" site - Then object "obj3-1" should "" be "transitioned" and have the storage class "e2e-cold" on "Primary" site - And object "obj3-2" should "" be "transitioned" and have the storage class "e2e-cold" on "Primary" site - Then object "obj3-1" should "not" be "transitioned" and have the storage class "e2e-cold" on "DR" site - And object "obj3-2" should "not" be "transitioned" and have the storage class "e2e-cold" on "DR" site - - When I resume the DR - Then the DR source should be in phase "Running" - Then object "obj3-1" should "" be "transitioned" and have the storage class "e2e-cold" on "DR" site - And object "obj3-2" should "" be "transitioned" and have the storage class "e2e-cold" on "DR" site - - # Uninstall DR - When I uninstall DR - Then the DR custom resources should be deleted - - # Re-add objects to bucket - Given objects "obj3" of size bytes on "Primary" site - Then object "obj3-1" should "" be "transitioned" and have the storage class "e2e-cold" on "Primary" site - - # Deploy PRA again - Given a DR installed - Then the DR source should be in phase "Running" - And the DR sink should be in phase "Running" - Given access keys for the replicated account - Then object "obj3-1" should "" be "transitioned" and have the storage class "e2e-cold" on "DR" site - And object "obj3-2" should "" be "transitioned" and have the storage class "e2e-cold" on "DR" site - - Examples: - | versioningConfiguration | objectCount | objectSize | - | Versioned | 2 | 100 | \ No newline at end of file diff --git a/tests/ctst/features/quotas/CountItems.feature b/tests/ctst/features/quotas/CountItems.feature deleted file mode 100644 index e009f1766a..0000000000 --- a/tests/ctst/features/quotas/CountItems.feature +++ /dev/null @@ -1,12 +0,0 @@ -Feature: CountItems measures the utilization metrics - The utilization metrics are computed for accounts, buckets and locations - -@2.6.0 -@PreMerge -@CronJob -@CountItems -Scenario Outline: Countitems runs without error and compute utilization metrics - Given an existing bucket "" "without" versioning, "without" ObjectLock "without" retention mode - And an object "" that "exists" - When the "count-items" cronjobs completes without error - Then the operation finished without error diff --git a/tests/ctst/features/resource-policies/AssumeRole.feature b/tests/ctst/features/resource-policies/AssumeRole.feature deleted file mode 100644 index 38b718f072..0000000000 --- a/tests/ctst/features/resource-policies/AssumeRole.feature +++ /dev/null @@ -1,1283 +0,0 @@ -Feature: S3 Bucket Policies Authorization flow for IAM Assume Roles - This feature allows you to create and attach bucket policies to S3 buckets. - IAM Users should have the permissions to perform the actions that they are granted in their bucket policies - based on the other permissions they also have from their role. - This test suite is not meant to be human-readable, but brings confidence in our Authz flow for all supported - S3 actions. - - @2.6.0 - @PreMerge - @BucketPolicies - @BP-ASSUME_ROLE_USER - Scenario Outline: ASSUME ROLE: IAM Policy and S3 Bucket Policy - Given an action "" - And an existing bucket prepared for the action - And a ASSUME_ROLE_USER type - And an environment setup for the API - And an "" IAM Policy that "" with "" effect for the current API - And an "" S3 Bucket Policy that "" with "" effect for the current API - When the user tries to perform the current S3 action on the bucket - Then the authorization result is correct - Examples: - | action | bucketPolicyExists | bucketPolicyApplies | bucketPolicyEffect | iamPolicyExists | iamPolicyApplies | iamPolicyEffect | - # Everything below is generated - | AbortMultipartUpload | existing | applies | ALLOW | existing | applies | ALLOW | - | AbortMultipartUpload | existing | applies | ALLOW | existing | applies | DENY | - | AbortMultipartUpload | existing | applies | ALLOW | existing | applies | ALLOW+DENY | - | AbortMultipartUpload | existing | applies | ALLOW | existing | does not apply | ALLOW | - | AbortMultipartUpload | existing | applies | ALLOW | non-existing | | | - | AbortMultipartUpload | existing | applies | DENY | existing | applies | ALLOW | - | AbortMultipartUpload | existing | applies | DENY | existing | applies | DENY | - | AbortMultipartUpload | existing | applies | DENY | existing | applies | ALLOW+DENY | - | AbortMultipartUpload | existing | applies | DENY | existing | does not apply | ALLOW | - | AbortMultipartUpload | existing | applies | DENY | non-existing | | | - | AbortMultipartUpload | existing | does not apply | ALLOW | existing | applies | ALLOW | - | AbortMultipartUpload | existing | does not apply | ALLOW | existing | applies | DENY | - | AbortMultipartUpload | existing | does not apply | ALLOW | existing | applies | ALLOW+DENY | - | AbortMultipartUpload | existing | does not apply | ALLOW | existing | does not apply | ALLOW | - | AbortMultipartUpload | existing | does not apply | ALLOW | non-existing | | | - | AbortMultipartUpload | non-existing | | | existing | applies | ALLOW | - | AbortMultipartUpload | non-existing | | | existing | applies | DENY | - | AbortMultipartUpload | non-existing | | | existing | applies | ALLOW+DENY | - | AbortMultipartUpload | non-existing | | | existing | does not apply | ALLOW | - | AbortMultipartUpload | non-existing | | | non-existing | | | - | CompleteMultipartUpload | existing | applies | ALLOW | existing | applies | ALLOW | - | CompleteMultipartUpload | existing | applies | ALLOW | existing | applies | DENY | - | CompleteMultipartUpload | existing | applies | ALLOW | existing | applies | ALLOW+DENY | - | CompleteMultipartUpload | existing | applies | ALLOW | existing | does not apply | ALLOW | - | CompleteMultipartUpload | existing | applies | ALLOW | non-existing | | | - | CompleteMultipartUpload | existing | applies | DENY | existing | applies | ALLOW | - | CompleteMultipartUpload | existing | applies | DENY | existing | applies | DENY | - | CompleteMultipartUpload | existing | applies | DENY | existing | applies | ALLOW+DENY | - | CompleteMultipartUpload | existing | applies | DENY | existing | does not apply | ALLOW | - | CompleteMultipartUpload | existing | applies | DENY | non-existing | | | - | CompleteMultipartUpload | existing | does not apply | ALLOW | existing | applies | ALLOW | - | CompleteMultipartUpload | existing | does not apply | ALLOW | existing | applies | DENY | - | CompleteMultipartUpload | existing | does not apply | ALLOW | existing | applies | ALLOW+DENY | - | CompleteMultipartUpload | existing | does not apply | ALLOW | existing | does not apply | ALLOW | - | CompleteMultipartUpload | existing | does not apply | ALLOW | non-existing | | | - | CompleteMultipartUpload | non-existing | | | existing | applies | ALLOW | - | CompleteMultipartUpload | non-existing | | | existing | applies | DENY | - | CompleteMultipartUpload | non-existing | | | existing | applies | ALLOW+DENY | - | CompleteMultipartUpload | non-existing | | | existing | does not apply | ALLOW | - | CompleteMultipartUpload | non-existing | | | non-existing | | | - | CopyObject | existing | applies | ALLOW | existing | applies | ALLOW | - | CopyObject | existing | applies | ALLOW | existing | applies | DENY | - | CopyObject | existing | applies | ALLOW | existing | applies | ALLOW+DENY | - | CopyObject | existing | applies | ALLOW | existing | does not apply | ALLOW | - | CopyObject | existing | applies | ALLOW | non-existing | | | - | CopyObject | existing | applies | DENY | existing | applies | ALLOW | - | CopyObject | existing | applies | DENY | existing | applies | DENY | - | CopyObject | existing | applies | DENY | existing | applies | ALLOW+DENY | - | CopyObject | existing | applies | DENY | existing | does not apply | ALLOW | - | CopyObject | existing | applies | DENY | non-existing | | | - | CopyObject | existing | does not apply | ALLOW | existing | applies | ALLOW | - | CopyObject | existing | does not apply | ALLOW | existing | applies | DENY | - | CopyObject | existing | does not apply | ALLOW | existing | applies | ALLOW+DENY | - | CopyObject | existing | does not apply | ALLOW | existing | does not apply | ALLOW | - | CopyObject | existing | does not apply | ALLOW | non-existing | | | - | CopyObject | non-existing | | | existing | applies | ALLOW | - | CopyObject | non-existing | | | existing | applies | DENY | - | CopyObject | non-existing | | | existing | applies | ALLOW+DENY | - | CopyObject | non-existing | | | existing | does not apply | ALLOW | - | CopyObject | non-existing | | | non-existing | | | - | CreateMultipartUpload | existing | applies | ALLOW | existing | applies | ALLOW | - | CreateMultipartUpload | existing | applies | ALLOW | existing | applies | DENY | - | CreateMultipartUpload | existing | applies | ALLOW | existing | applies | ALLOW+DENY | - | CreateMultipartUpload | existing | applies | ALLOW | existing | does not apply | ALLOW | - | CreateMultipartUpload | existing | applies | ALLOW | non-existing | | | - | CreateMultipartUpload | existing | applies | DENY | existing | applies | ALLOW | - | CreateMultipartUpload | existing | applies | DENY | existing | applies | DENY | - | CreateMultipartUpload | existing | applies | DENY | existing | applies | ALLOW+DENY | - | CreateMultipartUpload | existing | applies | DENY | existing | does not apply | ALLOW | - | CreateMultipartUpload | existing | applies | DENY | non-existing | | | - | CreateMultipartUpload | existing | does not apply | ALLOW | existing | applies | ALLOW | - | CreateMultipartUpload | existing | does not apply | ALLOW | existing | applies | DENY | - | CreateMultipartUpload | existing | does not apply | ALLOW | existing | applies | ALLOW+DENY | - | CreateMultipartUpload | existing | does not apply | ALLOW | existing | does not apply | ALLOW | - | CreateMultipartUpload | existing | does not apply | ALLOW | non-existing | | | - | CreateMultipartUpload | non-existing | | | existing | applies | ALLOW | - | CreateMultipartUpload | non-existing | | | existing | applies | DENY | - | CreateMultipartUpload | non-existing | | | existing | applies | ALLOW+DENY | - | CreateMultipartUpload | non-existing | | | existing | does not apply | ALLOW | - | CreateMultipartUpload | non-existing | | | non-existing | | | - | DeleteBucket | existing | applies | ALLOW | existing | applies | ALLOW | - | DeleteBucket | existing | applies | ALLOW | existing | applies | DENY | - | DeleteBucket | existing | applies | ALLOW | existing | applies | ALLOW+DENY | - | DeleteBucket | existing | applies | ALLOW | existing | does not apply | ALLOW | - | DeleteBucket | existing | applies | ALLOW | non-existing | | | - | DeleteBucket | existing | applies | DENY | existing | applies | ALLOW | - | DeleteBucket | existing | applies | DENY | existing | applies | DENY | - | DeleteBucket | existing | applies | DENY | existing | applies | ALLOW+DENY | - | DeleteBucket | existing | applies | DENY | existing | does not apply | ALLOW | - | DeleteBucket | existing | applies | DENY | non-existing | | | - | DeleteBucket | existing | does not apply | ALLOW | existing | applies | ALLOW | - | DeleteBucket | existing | does not apply | ALLOW | existing | applies | DENY | - | DeleteBucket | existing | does not apply | ALLOW | existing | applies | ALLOW+DENY | - | DeleteBucket | existing | does not apply | ALLOW | existing | does not apply | ALLOW | - | DeleteBucket | existing | does not apply | ALLOW | non-existing | | | - | DeleteBucket | non-existing | | | existing | applies | ALLOW | - | DeleteBucket | non-existing | | | existing | applies | DENY | - | DeleteBucket | non-existing | | | existing | applies | ALLOW+DENY | - | DeleteBucket | non-existing | | | existing | does not apply | ALLOW | - | DeleteBucket | non-existing | | | non-existing | | | - | DeleteBucketCors | existing | applies | ALLOW | existing | applies | ALLOW | - | DeleteBucketCors | existing | applies | ALLOW | existing | applies | DENY | - | DeleteBucketCors | existing | applies | ALLOW | existing | applies | ALLOW+DENY | - | DeleteBucketCors | existing | applies | ALLOW | existing | does not apply | ALLOW | - | DeleteBucketCors | existing | applies | ALLOW | non-existing | | | - | DeleteBucketCors | existing | applies | DENY | existing | applies | ALLOW | - | DeleteBucketCors | existing | applies | DENY | existing | applies | DENY | - | DeleteBucketCors | existing | applies | DENY | existing | applies | ALLOW+DENY | - | DeleteBucketCors | existing | applies | DENY | existing | does not apply | ALLOW | - | DeleteBucketCors | existing | applies | DENY | non-existing | | | - | DeleteBucketCors | existing | does not apply | ALLOW | existing | applies | ALLOW | - | DeleteBucketCors | existing | does not apply | ALLOW | existing | applies | DENY | - | DeleteBucketCors | existing | does not apply | ALLOW | existing | applies | ALLOW+DENY | - | DeleteBucketCors | existing | does not apply | ALLOW | existing | does not apply | ALLOW | - | DeleteBucketCors | existing | does not apply | ALLOW | non-existing | | | - | DeleteBucketCors | non-existing | | | existing | applies | ALLOW | - | DeleteBucketCors | non-existing | | | existing | applies | DENY | - | DeleteBucketCors | non-existing | | | existing | applies | ALLOW+DENY | - | DeleteBucketCors | non-existing | | | existing | does not apply | ALLOW | - | DeleteBucketCors | non-existing | | | non-existing | | | - | DeleteBucketEncryption | existing | applies | ALLOW | existing | applies | ALLOW | - | DeleteBucketEncryption | existing | applies | ALLOW | existing | applies | DENY | - | DeleteBucketEncryption | existing | applies | ALLOW | existing | applies | ALLOW+DENY | - | DeleteBucketEncryption | existing | applies | ALLOW | existing | does not apply | ALLOW | - | DeleteBucketEncryption | existing | applies | ALLOW | non-existing | | | - | DeleteBucketEncryption | existing | applies | DENY | existing | applies | ALLOW | - | DeleteBucketEncryption | existing | applies | DENY | existing | applies | DENY | - | DeleteBucketEncryption | existing | applies | DENY | existing | applies | ALLOW+DENY | - | DeleteBucketEncryption | existing | applies | DENY | existing | does not apply | ALLOW | - | DeleteBucketEncryption | existing | applies | DENY | non-existing | | | - | DeleteBucketEncryption | existing | does not apply | ALLOW | existing | applies | ALLOW | - | DeleteBucketEncryption | existing | does not apply | ALLOW | existing | applies | DENY | - | DeleteBucketEncryption | existing | does not apply | ALLOW | existing | applies | ALLOW+DENY | - | DeleteBucketEncryption | existing | does not apply | ALLOW | existing | does not apply | ALLOW | - | DeleteBucketEncryption | existing | does not apply | ALLOW | non-existing | | | - | DeleteBucketEncryption | non-existing | | | existing | applies | ALLOW | - | DeleteBucketEncryption | non-existing | | | existing | applies | DENY | - | DeleteBucketEncryption | non-existing | | | existing | applies | ALLOW+DENY | - | DeleteBucketEncryption | non-existing | | | existing | does not apply | ALLOW | - | DeleteBucketEncryption | non-existing | | | non-existing | | | - | DeleteBucketLifecycle | existing | applies | ALLOW | existing | applies | ALLOW | - | DeleteBucketLifecycle | existing | applies | ALLOW | existing | applies | DENY | - | DeleteBucketLifecycle | existing | applies | ALLOW | existing | applies | ALLOW+DENY | - | DeleteBucketLifecycle | existing | applies | ALLOW | existing | does not apply | ALLOW | - | DeleteBucketLifecycle | existing | applies | ALLOW | non-existing | | | - | DeleteBucketLifecycle | existing | applies | DENY | existing | applies | ALLOW | - | DeleteBucketLifecycle | existing | applies | DENY | existing | applies | DENY | - | DeleteBucketLifecycle | existing | applies | DENY | existing | applies | ALLOW+DENY | - | DeleteBucketLifecycle | existing | applies | DENY | existing | does not apply | ALLOW | - | DeleteBucketLifecycle | existing | applies | DENY | non-existing | | | - | DeleteBucketLifecycle | existing | does not apply | ALLOW | existing | applies | ALLOW | - | DeleteBucketLifecycle | existing | does not apply | ALLOW | existing | applies | DENY | - | DeleteBucketLifecycle | existing | does not apply | ALLOW | existing | applies | ALLOW+DENY | - | DeleteBucketLifecycle | existing | does not apply | ALLOW | existing | does not apply | ALLOW | - | DeleteBucketLifecycle | existing | does not apply | ALLOW | non-existing | | | - | DeleteBucketLifecycle | non-existing | | | existing | applies | ALLOW | - | DeleteBucketLifecycle | non-existing | | | existing | applies | DENY | - | DeleteBucketLifecycle | non-existing | | | existing | applies | ALLOW+DENY | - | DeleteBucketLifecycle | non-existing | | | existing | does not apply | ALLOW | - | DeleteBucketLifecycle | non-existing | | | non-existing | | | - | DeleteBucketPolicy | existing | applies | ALLOW | existing | applies | ALLOW | - | DeleteBucketPolicy | existing | applies | ALLOW | existing | applies | DENY | - | DeleteBucketPolicy | existing | applies | ALLOW | existing | applies | ALLOW+DENY | - | DeleteBucketPolicy | existing | applies | ALLOW | existing | does not apply | ALLOW | - | DeleteBucketPolicy | existing | applies | ALLOW | non-existing | | | - | DeleteBucketPolicy | existing | applies | DENY | existing | applies | ALLOW | - | DeleteBucketPolicy | existing | applies | DENY | existing | applies | DENY | - | DeleteBucketPolicy | existing | applies | DENY | existing | applies | ALLOW+DENY | - | DeleteBucketPolicy | existing | applies | DENY | existing | does not apply | ALLOW | - | DeleteBucketPolicy | existing | applies | DENY | non-existing | | | - | DeleteBucketPolicy | existing | does not apply | ALLOW | existing | applies | ALLOW | - | DeleteBucketPolicy | existing | does not apply | ALLOW | existing | applies | DENY | - | DeleteBucketPolicy | existing | does not apply | ALLOW | existing | applies | ALLOW+DENY | - | DeleteBucketPolicy | existing | does not apply | ALLOW | existing | does not apply | ALLOW | - | DeleteBucketPolicy | existing | does not apply | ALLOW | non-existing | | | - | DeleteBucketPolicy | non-existing | | | existing | applies | ALLOW | - | DeleteBucketPolicy | non-existing | | | existing | applies | DENY | - | DeleteBucketPolicy | non-existing | | | existing | applies | ALLOW+DENY | - | DeleteBucketPolicy | non-existing | | | existing | does not apply | ALLOW | - | DeleteBucketPolicy | non-existing | | | non-existing | | | - | DeleteBucketReplication | existing | applies | ALLOW | existing | applies | ALLOW | - | DeleteBucketReplication | existing | applies | ALLOW | existing | applies | DENY | - | DeleteBucketReplication | existing | applies | ALLOW | existing | applies | ALLOW+DENY | - | DeleteBucketReplication | existing | applies | ALLOW | existing | does not apply | ALLOW | - | DeleteBucketReplication | existing | applies | ALLOW | non-existing | | | - | DeleteBucketReplication | existing | applies | DENY | existing | applies | ALLOW | - | DeleteBucketReplication | existing | applies | DENY | existing | applies | DENY | - | DeleteBucketReplication | existing | applies | DENY | existing | applies | ALLOW+DENY | - | DeleteBucketReplication | existing | applies | DENY | existing | does not apply | ALLOW | - | DeleteBucketReplication | existing | applies | DENY | non-existing | | | - | DeleteBucketReplication | existing | does not apply | ALLOW | existing | applies | ALLOW | - | DeleteBucketReplication | existing | does not apply | ALLOW | existing | applies | DENY | - | DeleteBucketReplication | existing | does not apply | ALLOW | existing | applies | ALLOW+DENY | - | DeleteBucketReplication | existing | does not apply | ALLOW | existing | does not apply | ALLOW | - | DeleteBucketReplication | existing | does not apply | ALLOW | non-existing | | | - | DeleteBucketReplication | non-existing | | | existing | applies | ALLOW | - | DeleteBucketReplication | non-existing | | | existing | applies | DENY | - | DeleteBucketReplication | non-existing | | | existing | applies | ALLOW+DENY | - | DeleteBucketReplication | non-existing | | | existing | does not apply | ALLOW | - | DeleteBucketReplication | non-existing | | | non-existing | | | - | DeleteBucketWebsite | existing | applies | ALLOW | existing | applies | ALLOW | - | DeleteBucketWebsite | existing | applies | ALLOW | existing | applies | DENY | - | DeleteBucketWebsite | existing | applies | ALLOW | existing | applies | ALLOW+DENY | - | DeleteBucketWebsite | existing | applies | ALLOW | existing | does not apply | ALLOW | - | DeleteBucketWebsite | existing | applies | ALLOW | non-existing | | | - | DeleteBucketWebsite | existing | applies | DENY | existing | applies | ALLOW | - | DeleteBucketWebsite | existing | applies | DENY | existing | applies | DENY | - | DeleteBucketWebsite | existing | applies | DENY | existing | applies | ALLOW+DENY | - | DeleteBucketWebsite | existing | applies | DENY | existing | does not apply | ALLOW | - | DeleteBucketWebsite | existing | applies | DENY | non-existing | | | - | DeleteBucketWebsite | existing | does not apply | ALLOW | existing | applies | ALLOW | - | DeleteBucketWebsite | existing | does not apply | ALLOW | existing | applies | DENY | - | DeleteBucketWebsite | existing | does not apply | ALLOW | existing | applies | ALLOW+DENY | - | DeleteBucketWebsite | existing | does not apply | ALLOW | existing | does not apply | ALLOW | - | DeleteBucketWebsite | existing | does not apply | ALLOW | non-existing | | | - | DeleteBucketWebsite | non-existing | | | existing | applies | ALLOW | - | DeleteBucketWebsite | non-existing | | | existing | applies | DENY | - | DeleteBucketWebsite | non-existing | | | existing | applies | ALLOW+DENY | - | DeleteBucketWebsite | non-existing | | | existing | does not apply | ALLOW | - | DeleteBucketWebsite | non-existing | | | non-existing | | | - | DeleteObject | existing | applies | ALLOW | existing | applies | ALLOW | - | DeleteObject | existing | applies | ALLOW | existing | applies | DENY | - | DeleteObject | existing | applies | ALLOW | existing | applies | ALLOW+DENY | - | DeleteObject | existing | applies | ALLOW | existing | does not apply | ALLOW | - | DeleteObject | existing | applies | ALLOW | non-existing | | | - | DeleteObject | existing | applies | DENY | existing | applies | ALLOW | - | DeleteObject | existing | applies | DENY | existing | applies | DENY | - | DeleteObject | existing | applies | DENY | existing | applies | ALLOW+DENY | - | DeleteObject | existing | applies | DENY | existing | does not apply | ALLOW | - | DeleteObject | existing | applies | DENY | non-existing | | | - | DeleteObject | existing | does not apply | ALLOW | existing | applies | ALLOW | - | DeleteObject | existing | does not apply | ALLOW | existing | applies | DENY | - | DeleteObject | existing | does not apply | ALLOW | existing | applies | ALLOW+DENY | - | DeleteObject | existing | does not apply | ALLOW | existing | does not apply | ALLOW | - | DeleteObject | existing | does not apply | ALLOW | non-existing | | | - | DeleteObject | non-existing | | | existing | applies | ALLOW | - | DeleteObject | non-existing | | | existing | applies | DENY | - | DeleteObject | non-existing | | | existing | applies | ALLOW+DENY | - | DeleteObject | non-existing | | | existing | does not apply | ALLOW | - | DeleteObject | non-existing | | | non-existing | | | - | DeleteBucketTagging | existing | applies | ALLOW | existing | applies | ALLOW | - | DeleteBucketTagging | existing | applies | ALLOW | existing | applies | DENY | - | DeleteBucketTagging | existing | applies | ALLOW | existing | applies | ALLOW+DENY | - | DeleteBucketTagging | existing | applies | ALLOW | existing | does not apply | ALLOW | - | DeleteBucketTagging | existing | applies | ALLOW | non-existing | | | - | DeleteBucketTagging | existing | applies | DENY | existing | applies | ALLOW | - | DeleteBucketTagging | existing | applies | DENY | existing | applies | DENY | - | DeleteBucketTagging | existing | applies | DENY | existing | applies | ALLOW+DENY | - | DeleteBucketTagging | existing | applies | DENY | existing | does not apply | ALLOW | - | DeleteBucketTagging | existing | applies | DENY | non-existing | | | - | DeleteBucketTagging | existing | does not apply | ALLOW | existing | applies | ALLOW | - | DeleteBucketTagging | existing | does not apply | ALLOW | existing | applies | DENY | - | DeleteBucketTagging | existing | does not apply | ALLOW | existing | applies | ALLOW+DENY | - | DeleteBucketTagging | existing | does not apply | ALLOW | existing | does not apply | ALLOW | - | DeleteBucketTagging | existing | does not apply | ALLOW | non-existing | | | - | DeleteBucketTagging | non-existing | | | existing | applies | ALLOW | - | DeleteBucketTagging | non-existing | | | existing | applies | DENY | - | DeleteBucketTagging | non-existing | | | existing | applies | ALLOW+DENY | - | DeleteBucketTagging | non-existing | | | existing | does not apply | ALLOW | - | DeleteBucketTagging | non-existing | | | non-existing | | | - | DeleteObjectTagging | existing | applies | ALLOW | existing | applies | ALLOW | - | DeleteObjectTagging | existing | applies | ALLOW | existing | applies | DENY | - | DeleteObjectTagging | existing | applies | ALLOW | existing | applies | ALLOW+DENY | - | DeleteObjectTagging | existing | applies | ALLOW | existing | does not apply | ALLOW | - | DeleteObjectTagging | existing | applies | ALLOW | non-existing | | | - | DeleteObjectTagging | existing | applies | DENY | existing | applies | ALLOW | - | DeleteObjectTagging | existing | applies | DENY | existing | applies | DENY | - | DeleteObjectTagging | existing | applies | DENY | existing | applies | ALLOW+DENY | - | DeleteObjectTagging | existing | applies | DENY | existing | does not apply | ALLOW | - | DeleteObjectTagging | existing | applies | DENY | non-existing | | | - | DeleteObjectTagging | existing | does not apply | ALLOW | existing | applies | ALLOW | - | DeleteObjectTagging | existing | does not apply | ALLOW | existing | applies | DENY | - | DeleteObjectTagging | existing | does not apply | ALLOW | existing | applies | ALLOW+DENY | - | DeleteObjectTagging | existing | does not apply | ALLOW | existing | does not apply | ALLOW | - | DeleteObjectTagging | existing | does not apply | ALLOW | non-existing | | | - | DeleteObjectTagging | non-existing | | | existing | applies | ALLOW | - | DeleteObjectTagging | non-existing | | | existing | applies | DENY | - | DeleteObjectTagging | non-existing | | | existing | applies | ALLOW+DENY | - | DeleteObjectTagging | non-existing | | | existing | does not apply | ALLOW | - | DeleteObjectTagging | non-existing | | | non-existing | | | - | DeleteObjects | existing | applies | ALLOW | existing | applies | ALLOW | - | DeleteObjects | existing | applies | ALLOW | existing | applies | DENY | - | DeleteObjects | existing | applies | ALLOW | existing | applies | ALLOW+DENY | - | DeleteObjects | existing | applies | ALLOW | existing | does not apply | ALLOW | - | DeleteObjects | existing | applies | ALLOW | non-existing | | | - | DeleteObjects | existing | applies | DENY | existing | applies | ALLOW | - | DeleteObjects | existing | applies | DENY | existing | applies | DENY | - | DeleteObjects | existing | applies | DENY | existing | applies | ALLOW+DENY | - | DeleteObjects | existing | applies | DENY | existing | does not apply | ALLOW | - | DeleteObjects | existing | applies | DENY | non-existing | | | - | DeleteObjects | existing | does not apply | ALLOW | existing | applies | ALLOW | - | DeleteObjects | existing | does not apply | ALLOW | existing | applies | DENY | - | DeleteObjects | existing | does not apply | ALLOW | existing | applies | ALLOW+DENY | - | DeleteObjects | existing | does not apply | ALLOW | existing | does not apply | ALLOW | - | DeleteObjects | existing | does not apply | ALLOW | non-existing | | | - | DeleteObjects | non-existing | | | existing | applies | ALLOW | - | DeleteObjects | non-existing | | | existing | applies | DENY | - | DeleteObjects | non-existing | | | existing | applies | ALLOW+DENY | - | DeleteObjects | non-existing | | | existing | does not apply | ALLOW | - | DeleteObjects | non-existing | | | non-existing | | | - | GetBucketAcl | existing | applies | ALLOW | existing | applies | ALLOW | - | GetBucketAcl | existing | applies | ALLOW | existing | applies | DENY | - | GetBucketAcl | existing | applies | ALLOW | existing | applies | ALLOW+DENY | - | GetBucketAcl | existing | applies | ALLOW | existing | does not apply | ALLOW | - | GetBucketAcl | existing | applies | ALLOW | non-existing | | | - | GetBucketAcl | existing | applies | DENY | existing | applies | ALLOW | - | GetBucketAcl | existing | applies | DENY | existing | applies | DENY | - | GetBucketAcl | existing | applies | DENY | existing | applies | ALLOW+DENY | - | GetBucketAcl | existing | applies | DENY | existing | does not apply | ALLOW | - | GetBucketAcl | existing | applies | DENY | non-existing | | | - | GetBucketAcl | existing | does not apply | ALLOW | existing | applies | ALLOW | - | GetBucketAcl | existing | does not apply | ALLOW | existing | applies | DENY | - | GetBucketAcl | existing | does not apply | ALLOW | existing | applies | ALLOW+DENY | - | GetBucketAcl | existing | does not apply | ALLOW | existing | does not apply | ALLOW | - | GetBucketAcl | existing | does not apply | ALLOW | non-existing | | | - | GetBucketAcl | non-existing | | | existing | applies | ALLOW | - | GetBucketAcl | non-existing | | | existing | applies | DENY | - | GetBucketAcl | non-existing | | | existing | applies | ALLOW+DENY | - | GetBucketAcl | non-existing | | | existing | does not apply | ALLOW | - | GetBucketAcl | non-existing | | | non-existing | | | - | GetBucketCors | existing | applies | ALLOW | existing | applies | ALLOW | - | GetBucketCors | existing | applies | ALLOW | existing | applies | DENY | - | GetBucketCors | existing | applies | ALLOW | existing | applies | ALLOW+DENY | - | GetBucketCors | existing | applies | ALLOW | existing | does not apply | ALLOW | - | GetBucketCors | existing | applies | ALLOW | non-existing | | | - | GetBucketCors | existing | applies | DENY | existing | applies | ALLOW | - | GetBucketCors | existing | applies | DENY | existing | applies | DENY | - | GetBucketCors | existing | applies | DENY | existing | applies | ALLOW+DENY | - | GetBucketCors | existing | applies | DENY | existing | does not apply | ALLOW | - | GetBucketCors | existing | applies | DENY | non-existing | | | - | GetBucketCors | existing | does not apply | ALLOW | existing | applies | ALLOW | - | GetBucketCors | existing | does not apply | ALLOW | existing | applies | DENY | - | GetBucketCors | existing | does not apply | ALLOW | existing | applies | ALLOW+DENY | - | GetBucketCors | existing | does not apply | ALLOW | existing | does not apply | ALLOW | - | GetBucketCors | existing | does not apply | ALLOW | non-existing | | | - | GetBucketCors | non-existing | | | existing | applies | ALLOW | - | GetBucketCors | non-existing | | | existing | applies | DENY | - | GetBucketCors | non-existing | | | existing | applies | ALLOW+DENY | - | GetBucketCors | non-existing | | | existing | does not apply | ALLOW | - | GetBucketCors | non-existing | | | non-existing | | | - | GetBucketEncryption | existing | applies | ALLOW | existing | applies | ALLOW | - | GetBucketEncryption | existing | applies | ALLOW | existing | applies | DENY | - | GetBucketEncryption | existing | applies | ALLOW | existing | applies | ALLOW+DENY | - | GetBucketEncryption | existing | applies | ALLOW | existing | does not apply | ALLOW | - | GetBucketEncryption | existing | applies | ALLOW | non-existing | | | - | GetBucketEncryption | existing | applies | DENY | existing | applies | ALLOW | - | GetBucketEncryption | existing | applies | DENY | existing | applies | DENY | - | GetBucketEncryption | existing | applies | DENY | existing | applies | ALLOW+DENY | - | GetBucketEncryption | existing | applies | DENY | existing | does not apply | ALLOW | - | GetBucketEncryption | existing | applies | DENY | non-existing | | | - | GetBucketEncryption | existing | does not apply | ALLOW | existing | applies | ALLOW | - | GetBucketEncryption | existing | does not apply | ALLOW | existing | applies | DENY | - | GetBucketEncryption | existing | does not apply | ALLOW | existing | applies | ALLOW+DENY | - | GetBucketEncryption | existing | does not apply | ALLOW | existing | does not apply | ALLOW | - | GetBucketEncryption | existing | does not apply | ALLOW | non-existing | | | - | GetBucketEncryption | non-existing | | | existing | applies | ALLOW | - | GetBucketEncryption | non-existing | | | existing | applies | DENY | - | GetBucketEncryption | non-existing | | | existing | applies | ALLOW+DENY | - | GetBucketEncryption | non-existing | | | existing | does not apply | ALLOW | - | GetBucketEncryption | non-existing | | | non-existing | | | - | GetBucketLifecycleConfiguration | existing | applies | ALLOW | existing | applies | ALLOW | - | GetBucketLifecycleConfiguration | existing | applies | ALLOW | existing | applies | DENY | - | GetBucketLifecycleConfiguration | existing | applies | ALLOW | existing | applies | ALLOW+DENY | - | GetBucketLifecycleConfiguration | existing | applies | ALLOW | existing | does not apply | ALLOW | - | GetBucketLifecycleConfiguration | existing | applies | ALLOW | non-existing | | | - | GetBucketLifecycleConfiguration | existing | applies | DENY | existing | applies | ALLOW | - | GetBucketLifecycleConfiguration | existing | applies | DENY | existing | applies | DENY | - | GetBucketLifecycleConfiguration | existing | applies | DENY | existing | applies | ALLOW+DENY | - | GetBucketLifecycleConfiguration | existing | applies | DENY | existing | does not apply | ALLOW | - | GetBucketLifecycleConfiguration | existing | applies | DENY | non-existing | | | - | GetBucketLifecycleConfiguration | existing | does not apply | ALLOW | existing | applies | ALLOW | - | GetBucketLifecycleConfiguration | existing | does not apply | ALLOW | existing | applies | DENY | - | GetBucketLifecycleConfiguration | existing | does not apply | ALLOW | existing | applies | ALLOW+DENY | - | GetBucketLifecycleConfiguration | existing | does not apply | ALLOW | existing | does not apply | ALLOW | - | GetBucketLifecycleConfiguration | existing | does not apply | ALLOW | non-existing | | | - | GetBucketLifecycleConfiguration | non-existing | | | existing | applies | ALLOW | - | GetBucketLifecycleConfiguration | non-existing | | | existing | applies | DENY | - | GetBucketLifecycleConfiguration | non-existing | | | existing | applies | ALLOW+DENY | - | GetBucketLifecycleConfiguration | non-existing | | | existing | does not apply | ALLOW | - | GetBucketLifecycleConfiguration | non-existing | | | non-existing | | | - | GetBucketNotificationConfiguration | existing | applies | ALLOW | existing | applies | ALLOW | - | GetBucketNotificationConfiguration | existing | applies | ALLOW | existing | applies | DENY | - | GetBucketNotificationConfiguration | existing | applies | ALLOW | existing | applies | ALLOW+DENY | - | GetBucketNotificationConfiguration | existing | applies | ALLOW | existing | does not apply | ALLOW | - | GetBucketNotificationConfiguration | existing | applies | ALLOW | non-existing | | | - | GetBucketNotificationConfiguration | existing | applies | DENY | existing | applies | ALLOW | - | GetBucketNotificationConfiguration | existing | applies | DENY | existing | applies | DENY | - | GetBucketNotificationConfiguration | existing | applies | DENY | existing | applies | ALLOW+DENY | - | GetBucketNotificationConfiguration | existing | applies | DENY | existing | does not apply | ALLOW | - | GetBucketNotificationConfiguration | existing | applies | DENY | non-existing | | | - | GetBucketNotificationConfiguration | existing | does not apply | ALLOW | existing | applies | ALLOW | - | GetBucketNotificationConfiguration | existing | does not apply | ALLOW | existing | applies | DENY | - | GetBucketNotificationConfiguration | existing | does not apply | ALLOW | existing | applies | ALLOW+DENY | - | GetBucketNotificationConfiguration | existing | does not apply | ALLOW | existing | does not apply | ALLOW | - | GetBucketNotificationConfiguration | existing | does not apply | ALLOW | non-existing | | | - | GetBucketNotificationConfiguration | non-existing | | | existing | applies | ALLOW | - | GetBucketNotificationConfiguration | non-existing | | | existing | applies | DENY | - | GetBucketNotificationConfiguration | non-existing | | | existing | applies | ALLOW+DENY | - | GetBucketNotificationConfiguration | non-existing | | | existing | does not apply | ALLOW | - | GetBucketNotificationConfiguration | non-existing | | | non-existing | | | - | GetBucketPolicy | existing | applies | ALLOW | existing | applies | ALLOW | - | GetBucketPolicy | existing | applies | ALLOW | existing | applies | DENY | - | GetBucketPolicy | existing | applies | ALLOW | existing | applies | ALLOW+DENY | - | GetBucketPolicy | existing | applies | ALLOW | existing | does not apply | ALLOW | - | GetBucketPolicy | existing | applies | ALLOW | non-existing | | | - | GetBucketPolicy | existing | applies | DENY | existing | applies | ALLOW | - | GetBucketPolicy | existing | applies | DENY | existing | applies | DENY | - | GetBucketPolicy | existing | applies | DENY | existing | applies | ALLOW+DENY | - | GetBucketPolicy | existing | applies | DENY | existing | does not apply | ALLOW | - | GetBucketPolicy | existing | applies | DENY | non-existing | | | - | GetBucketPolicy | existing | does not apply | ALLOW | existing | applies | ALLOW | - | GetBucketPolicy | existing | does not apply | ALLOW | existing | applies | DENY | - | GetBucketPolicy | existing | does not apply | ALLOW | existing | applies | ALLOW+DENY | - | GetBucketPolicy | existing | does not apply | ALLOW | existing | does not apply | ALLOW | - | GetBucketPolicy | existing | does not apply | ALLOW | non-existing | | | - | GetBucketPolicy | non-existing | | | existing | applies | ALLOW | - | GetBucketPolicy | non-existing | | | existing | applies | DENY | - | GetBucketPolicy | non-existing | | | existing | applies | ALLOW+DENY | - | GetBucketPolicy | non-existing | | | existing | does not apply | ALLOW | - | GetBucketPolicy | non-existing | | | non-existing | | | - | GetBucketReplication | existing | applies | ALLOW | existing | applies | ALLOW | - | GetBucketReplication | existing | applies | ALLOW | existing | applies | DENY | - | GetBucketReplication | existing | applies | ALLOW | existing | applies | ALLOW+DENY | - | GetBucketReplication | existing | applies | ALLOW | existing | does not apply | ALLOW | - | GetBucketReplication | existing | applies | ALLOW | non-existing | | | - | GetBucketReplication | existing | applies | DENY | existing | applies | ALLOW | - | GetBucketReplication | existing | applies | DENY | existing | applies | DENY | - | GetBucketReplication | existing | applies | DENY | existing | applies | ALLOW+DENY | - | GetBucketReplication | existing | applies | DENY | existing | does not apply | ALLOW | - | GetBucketReplication | existing | applies | DENY | non-existing | | | - | GetBucketReplication | existing | does not apply | ALLOW | existing | applies | ALLOW | - | GetBucketReplication | existing | does not apply | ALLOW | existing | applies | DENY | - | GetBucketReplication | existing | does not apply | ALLOW | existing | applies | ALLOW+DENY | - | GetBucketReplication | existing | does not apply | ALLOW | existing | does not apply | ALLOW | - | GetBucketReplication | existing | does not apply | ALLOW | non-existing | | | - | GetBucketReplication | non-existing | | | existing | applies | ALLOW | - | GetBucketReplication | non-existing | | | existing | applies | DENY | - | GetBucketReplication | non-existing | | | existing | applies | ALLOW+DENY | - | GetBucketReplication | non-existing | | | existing | does not apply | ALLOW | - | GetBucketReplication | non-existing | | | non-existing | | | - | GetBucketVersioning | existing | applies | ALLOW | existing | applies | ALLOW | - | GetBucketVersioning | existing | applies | ALLOW | existing | applies | DENY | - | GetBucketVersioning | existing | applies | ALLOW | existing | applies | ALLOW+DENY | - | GetBucketVersioning | existing | applies | ALLOW | existing | does not apply | ALLOW | - | GetBucketVersioning | existing | applies | ALLOW | non-existing | | | - | GetBucketVersioning | existing | applies | DENY | existing | applies | ALLOW | - | GetBucketVersioning | existing | applies | DENY | existing | applies | DENY | - | GetBucketVersioning | existing | applies | DENY | existing | applies | ALLOW+DENY | - | GetBucketVersioning | existing | applies | DENY | existing | does not apply | ALLOW | - | GetBucketVersioning | existing | applies | DENY | non-existing | | | - | GetBucketVersioning | existing | does not apply | ALLOW | existing | applies | ALLOW | - | GetBucketVersioning | existing | does not apply | ALLOW | existing | applies | DENY | - | GetBucketVersioning | existing | does not apply | ALLOW | existing | applies | ALLOW+DENY | - | GetBucketVersioning | existing | does not apply | ALLOW | existing | does not apply | ALLOW | - | GetBucketVersioning | existing | does not apply | ALLOW | non-existing | | | - | GetBucketVersioning | non-existing | | | existing | applies | ALLOW | - | GetBucketVersioning | non-existing | | | existing | applies | DENY | - | GetBucketVersioning | non-existing | | | existing | applies | ALLOW+DENY | - | GetBucketVersioning | non-existing | | | existing | does not apply | ALLOW | - | GetBucketVersioning | non-existing | | | non-existing | | | - | GetObject | existing | applies | ALLOW | existing | applies | ALLOW | - | GetObject | existing | applies | ALLOW | existing | applies | DENY | - | GetObject | existing | applies | ALLOW | existing | applies | ALLOW+DENY | - | GetObject | existing | applies | ALLOW | existing | does not apply | ALLOW | - | GetObject | existing | applies | ALLOW | non-existing | | | - | GetObject | existing | applies | DENY | existing | applies | ALLOW | - | GetObject | existing | applies | DENY | existing | applies | DENY | - | GetObject | existing | applies | DENY | existing | applies | ALLOW+DENY | - | GetObject | existing | applies | DENY | existing | does not apply | ALLOW | - | GetObject | existing | applies | DENY | non-existing | | | - | GetObject | existing | does not apply | ALLOW | existing | applies | ALLOW | - | GetObject | existing | does not apply | ALLOW | existing | applies | DENY | - | GetObject | existing | does not apply | ALLOW | existing | applies | ALLOW+DENY | - | GetObject | existing | does not apply | ALLOW | existing | does not apply | ALLOW | - | GetObject | existing | does not apply | ALLOW | non-existing | | | - | GetObject | non-existing | | | existing | applies | ALLOW | - | GetObject | non-existing | | | existing | applies | DENY | - | GetObject | non-existing | | | existing | applies | ALLOW+DENY | - | GetObject | non-existing | | | existing | does not apply | ALLOW | - | GetObject | non-existing | | | non-existing | | | - | GetObjectAcl | existing | applies | ALLOW | existing | applies | ALLOW | - | GetObjectAcl | existing | applies | ALLOW | existing | applies | DENY | - | GetObjectAcl | existing | applies | ALLOW | existing | applies | ALLOW+DENY | - | GetObjectAcl | existing | applies | ALLOW | existing | does not apply | ALLOW | - | GetObjectAcl | existing | applies | ALLOW | non-existing | | | - | GetObjectAcl | existing | applies | DENY | existing | applies | ALLOW | - | GetObjectAcl | existing | applies | DENY | existing | applies | DENY | - | GetObjectAcl | existing | applies | DENY | existing | applies | ALLOW+DENY | - | GetObjectAcl | existing | applies | DENY | existing | does not apply | ALLOW | - | GetObjectAcl | existing | applies | DENY | non-existing | | | - | GetObjectAcl | existing | does not apply | ALLOW | existing | applies | ALLOW | - | GetObjectAcl | existing | does not apply | ALLOW | existing | applies | DENY | - | GetObjectAcl | existing | does not apply | ALLOW | existing | applies | ALLOW+DENY | - | GetObjectAcl | existing | does not apply | ALLOW | existing | does not apply | ALLOW | - | GetObjectAcl | existing | does not apply | ALLOW | non-existing | | | - | GetObjectAcl | non-existing | | | existing | applies | ALLOW | - | GetObjectAcl | non-existing | | | existing | applies | DENY | - | GetObjectAcl | non-existing | | | existing | applies | ALLOW+DENY | - | GetObjectAcl | non-existing | | | existing | does not apply | ALLOW | - | GetObjectAcl | non-existing | | | non-existing | | | - | GetObjectLegalHold | existing | applies | ALLOW | existing | applies | ALLOW | - | GetObjectLegalHold | existing | applies | ALLOW | existing | applies | DENY | - | GetObjectLegalHold | existing | applies | ALLOW | existing | applies | ALLOW+DENY | - | GetObjectLegalHold | existing | applies | ALLOW | existing | does not apply | ALLOW | - | GetObjectLegalHold | existing | applies | ALLOW | non-existing | | | - | GetObjectLegalHold | existing | applies | DENY | existing | applies | ALLOW | - | GetObjectLegalHold | existing | applies | DENY | existing | applies | DENY | - | GetObjectLegalHold | existing | applies | DENY | existing | applies | ALLOW+DENY | - | GetObjectLegalHold | existing | applies | DENY | existing | does not apply | ALLOW | - | GetObjectLegalHold | existing | applies | DENY | non-existing | | | - | GetObjectLegalHold | existing | does not apply | ALLOW | existing | applies | ALLOW | - | GetObjectLegalHold | existing | does not apply | ALLOW | existing | applies | DENY | - | GetObjectLegalHold | existing | does not apply | ALLOW | existing | applies | ALLOW+DENY | - | GetObjectLegalHold | existing | does not apply | ALLOW | existing | does not apply | ALLOW | - | GetObjectLegalHold | existing | does not apply | ALLOW | non-existing | | | - | GetObjectLegalHold | non-existing | | | existing | applies | ALLOW | - | GetObjectLegalHold | non-existing | | | existing | applies | DENY | - | GetObjectLegalHold | non-existing | | | existing | applies | ALLOW+DENY | - | GetObjectLegalHold | non-existing | | | existing | does not apply | ALLOW | - | GetObjectLegalHold | non-existing | | | non-existing | | | - | GetObjectLockConfiguration | existing | applies | ALLOW | existing | applies | ALLOW | - | GetObjectLockConfiguration | existing | applies | ALLOW | existing | applies | DENY | - | GetObjectLockConfiguration | existing | applies | ALLOW | existing | applies | ALLOW+DENY | - | GetObjectLockConfiguration | existing | applies | ALLOW | existing | does not apply | ALLOW | - | GetObjectLockConfiguration | existing | applies | ALLOW | non-existing | | | - | GetObjectLockConfiguration | existing | applies | DENY | existing | applies | ALLOW | - | GetObjectLockConfiguration | existing | applies | DENY | existing | applies | DENY | - | GetObjectLockConfiguration | existing | applies | DENY | existing | applies | ALLOW+DENY | - | GetObjectLockConfiguration | existing | applies | DENY | existing | does not apply | ALLOW | - | GetObjectLockConfiguration | existing | applies | DENY | non-existing | | | - | GetObjectLockConfiguration | existing | does not apply | ALLOW | existing | applies | ALLOW | - | GetObjectLockConfiguration | existing | does not apply | ALLOW | existing | applies | DENY | - | GetObjectLockConfiguration | existing | does not apply | ALLOW | existing | applies | ALLOW+DENY | - | GetObjectLockConfiguration | existing | does not apply | ALLOW | existing | does not apply | ALLOW | - | GetObjectLockConfiguration | existing | does not apply | ALLOW | non-existing | | | - | GetObjectLockConfiguration | non-existing | | | existing | applies | ALLOW | - | GetObjectLockConfiguration | non-existing | | | existing | applies | DENY | - | GetObjectLockConfiguration | non-existing | | | existing | applies | ALLOW+DENY | - | GetObjectLockConfiguration | non-existing | | | existing | does not apply | ALLOW | - | GetObjectLockConfiguration | non-existing | | | non-existing | | | - | GetObjectRetention | existing | applies | ALLOW | existing | applies | ALLOW | - | GetObjectRetention | existing | applies | ALLOW | existing | applies | DENY | - | GetObjectRetention | existing | applies | ALLOW | existing | applies | ALLOW+DENY | - | GetObjectRetention | existing | applies | ALLOW | existing | does not apply | ALLOW | - | GetObjectRetention | existing | applies | ALLOW | non-existing | | | - | GetObjectRetention | existing | applies | DENY | existing | applies | ALLOW | - | GetObjectRetention | existing | applies | DENY | existing | applies | DENY | - | GetObjectRetention | existing | applies | DENY | existing | applies | ALLOW+DENY | - | GetObjectRetention | existing | applies | DENY | existing | does not apply | ALLOW | - | GetObjectRetention | existing | applies | DENY | non-existing | | | - | GetObjectRetention | existing | does not apply | ALLOW | existing | applies | ALLOW | - | GetObjectRetention | existing | does not apply | ALLOW | existing | applies | DENY | - | GetObjectRetention | existing | does not apply | ALLOW | existing | applies | ALLOW+DENY | - | GetObjectRetention | existing | does not apply | ALLOW | existing | does not apply | ALLOW | - | GetObjectRetention | existing | does not apply | ALLOW | non-existing | | | - | GetObjectRetention | non-existing | | | existing | applies | ALLOW | - | GetObjectRetention | non-existing | | | existing | applies | DENY | - | GetObjectRetention | non-existing | | | existing | applies | ALLOW+DENY | - | GetObjectRetention | non-existing | | | existing | does not apply | ALLOW | - | GetObjectRetention | non-existing | | | non-existing | | | - | GetBucketTagging | existing | applies | ALLOW | existing | applies | ALLOW | - | GetBucketTagging | existing | applies | ALLOW | existing | applies | DENY | - | GetBucketTagging | existing | applies | ALLOW | existing | applies | ALLOW+DENY | - | GetBucketTagging | existing | applies | ALLOW | existing | does not apply | ALLOW | - | GetBucketTagging | existing | applies | ALLOW | non-existing | | | - | GetBucketTagging | existing | applies | DENY | existing | applies | ALLOW | - | GetBucketTagging | existing | applies | DENY | existing | applies | DENY | - | GetBucketTagging | existing | applies | DENY | existing | applies | ALLOW+DENY | - | GetBucketTagging | existing | applies | DENY | existing | does not apply | ALLOW | - | GetBucketTagging | existing | applies | DENY | non-existing | | | - | GetBucketTagging | existing | does not apply | ALLOW | existing | applies | ALLOW | - | GetBucketTagging | existing | does not apply | ALLOW | existing | applies | DENY | - | GetBucketTagging | existing | does not apply | ALLOW | existing | applies | ALLOW+DENY | - | GetBucketTagging | existing | does not apply | ALLOW | existing | does not apply | ALLOW | - | GetBucketTagging | existing | does not apply | ALLOW | non-existing | | | - | GetBucketTagging | non-existing | | | existing | applies | ALLOW | - | GetBucketTagging | non-existing | | | existing | applies | DENY | - | GetBucketTagging | non-existing | | | existing | applies | ALLOW+DENY | - | GetBucketTagging | non-existing | | | existing | does not apply | ALLOW | - | GetBucketTagging | non-existing | | | non-existing | | | - | GetObjectTagging | existing | applies | ALLOW | existing | applies | ALLOW | - | GetObjectTagging | existing | applies | ALLOW | existing | applies | DENY | - | GetObjectTagging | existing | applies | ALLOW | existing | applies | ALLOW+DENY | - | GetObjectTagging | existing | applies | ALLOW | existing | does not apply | ALLOW | - | GetObjectTagging | existing | applies | ALLOW | non-existing | | | - | GetObjectTagging | existing | applies | DENY | existing | applies | ALLOW | - | GetObjectTagging | existing | applies | DENY | existing | applies | DENY | - | GetObjectTagging | existing | applies | DENY | existing | applies | ALLOW+DENY | - | GetObjectTagging | existing | applies | DENY | existing | does not apply | ALLOW | - | GetObjectTagging | existing | applies | DENY | non-existing | | | - | GetObjectTagging | existing | does not apply | ALLOW | existing | applies | ALLOW | - | GetObjectTagging | existing | does not apply | ALLOW | existing | applies | DENY | - | GetObjectTagging | existing | does not apply | ALLOW | existing | applies | ALLOW+DENY | - | GetObjectTagging | existing | does not apply | ALLOW | existing | does not apply | ALLOW | - | GetObjectTagging | existing | does not apply | ALLOW | non-existing | | | - | GetObjectTagging | non-existing | | | existing | applies | ALLOW | - | GetObjectTagging | non-existing | | | existing | applies | DENY | - | GetObjectTagging | non-existing | | | existing | applies | ALLOW+DENY | - | GetObjectTagging | non-existing | | | existing | does not apply | ALLOW | - | GetObjectTagging | non-existing | | | non-existing | | | - | HeadBucket | existing | applies | ALLOW | existing | applies | ALLOW | - | HeadBucket | existing | applies | ALLOW | existing | applies | DENY | - | HeadBucket | existing | applies | ALLOW | existing | applies | ALLOW+DENY | - | HeadBucket | existing | applies | ALLOW | existing | does not apply | ALLOW | - | HeadBucket | existing | applies | ALLOW | non-existing | | | - | HeadBucket | existing | applies | DENY | existing | applies | ALLOW | - | HeadBucket | existing | applies | DENY | existing | applies | DENY | - | HeadBucket | existing | applies | DENY | existing | applies | ALLOW+DENY | - | HeadBucket | existing | applies | DENY | existing | does not apply | ALLOW | - | HeadBucket | existing | applies | DENY | non-existing | | | - | HeadBucket | existing | does not apply | ALLOW | existing | applies | ALLOW | - | HeadBucket | existing | does not apply | ALLOW | existing | applies | DENY | - | HeadBucket | existing | does not apply | ALLOW | existing | applies | ALLOW+DENY | - | HeadBucket | existing | does not apply | ALLOW | existing | does not apply | ALLOW | - | HeadBucket | existing | does not apply | ALLOW | non-existing | | | - | HeadBucket | non-existing | | | existing | applies | ALLOW | - | HeadBucket | non-existing | | | existing | applies | DENY | - | HeadBucket | non-existing | | | existing | applies | ALLOW+DENY | - | HeadBucket | non-existing | | | existing | does not apply | ALLOW | - | HeadBucket | non-existing | | | non-existing | | | - | HeadObject | existing | applies | ALLOW | existing | applies | ALLOW | - | HeadObject | existing | applies | ALLOW | existing | applies | DENY | - | HeadObject | existing | applies | ALLOW | existing | applies | ALLOW+DENY | - | HeadObject | existing | applies | ALLOW | existing | does not apply | ALLOW | - | HeadObject | existing | applies | ALLOW | non-existing | | | - | HeadObject | existing | applies | DENY | existing | applies | ALLOW | - | HeadObject | existing | applies | DENY | existing | applies | DENY | - | HeadObject | existing | applies | DENY | existing | applies | ALLOW+DENY | - | HeadObject | existing | applies | DENY | existing | does not apply | ALLOW | - | HeadObject | existing | applies | DENY | non-existing | | | - | HeadObject | existing | does not apply | ALLOW | existing | applies | ALLOW | - | HeadObject | existing | does not apply | ALLOW | existing | applies | DENY | - | HeadObject | existing | does not apply | ALLOW | existing | applies | ALLOW+DENY | - | HeadObject | existing | does not apply | ALLOW | existing | does not apply | ALLOW | - | HeadObject | existing | does not apply | ALLOW | non-existing | | | - | HeadObject | non-existing | | | existing | applies | ALLOW | - | HeadObject | non-existing | | | existing | applies | DENY | - | HeadObject | non-existing | | | existing | applies | ALLOW+DENY | - | HeadObject | non-existing | | | existing | does not apply | ALLOW | - | HeadObject | non-existing | | | non-existing | | | - | ListMultipartUploads | existing | applies | ALLOW | existing | applies | ALLOW | - | ListMultipartUploads | existing | applies | ALLOW | existing | applies | DENY | - | ListMultipartUploads | existing | applies | ALLOW | existing | applies | ALLOW+DENY | - | ListMultipartUploads | existing | applies | ALLOW | existing | does not apply | ALLOW | - | ListMultipartUploads | existing | applies | ALLOW | non-existing | | | - | ListMultipartUploads | existing | applies | DENY | existing | applies | ALLOW | - | ListMultipartUploads | existing | applies | DENY | existing | applies | DENY | - | ListMultipartUploads | existing | applies | DENY | existing | applies | ALLOW+DENY | - | ListMultipartUploads | existing | applies | DENY | existing | does not apply | ALLOW | - | ListMultipartUploads | existing | applies | DENY | non-existing | | | - | ListMultipartUploads | existing | does not apply | ALLOW | existing | applies | ALLOW | - | ListMultipartUploads | existing | does not apply | ALLOW | existing | applies | DENY | - | ListMultipartUploads | existing | does not apply | ALLOW | existing | applies | ALLOW+DENY | - | ListMultipartUploads | existing | does not apply | ALLOW | existing | does not apply | ALLOW | - | ListMultipartUploads | existing | does not apply | ALLOW | non-existing | | | - | ListMultipartUploads | non-existing | | | existing | applies | ALLOW | - | ListMultipartUploads | non-existing | | | existing | applies | DENY | - | ListMultipartUploads | non-existing | | | existing | applies | ALLOW+DENY | - | ListMultipartUploads | non-existing | | | existing | does not apply | ALLOW | - | ListMultipartUploads | non-existing | | | non-existing | | | - | ListObjectVersions | existing | applies | ALLOW | existing | applies | ALLOW | - | ListObjectVersions | existing | applies | ALLOW | existing | applies | DENY | - | ListObjectVersions | existing | applies | ALLOW | existing | applies | ALLOW+DENY | - | ListObjectVersions | existing | applies | ALLOW | existing | does not apply | ALLOW | - | ListObjectVersions | existing | applies | ALLOW | non-existing | | | - | ListObjectVersions | existing | applies | DENY | existing | applies | ALLOW | - | ListObjectVersions | existing | applies | DENY | existing | applies | DENY | - | ListObjectVersions | existing | applies | DENY | existing | applies | ALLOW+DENY | - | ListObjectVersions | existing | applies | DENY | existing | does not apply | ALLOW | - | ListObjectVersions | existing | applies | DENY | non-existing | | | - | ListObjectVersions | existing | does not apply | ALLOW | existing | applies | ALLOW | - | ListObjectVersions | existing | does not apply | ALLOW | existing | applies | DENY | - | ListObjectVersions | existing | does not apply | ALLOW | existing | applies | ALLOW+DENY | - | ListObjectVersions | existing | does not apply | ALLOW | existing | does not apply | ALLOW | - | ListObjectVersions | existing | does not apply | ALLOW | non-existing | | | - | ListObjectVersions | non-existing | | | existing | applies | ALLOW | - | ListObjectVersions | non-existing | | | existing | applies | DENY | - | ListObjectVersions | non-existing | | | existing | applies | ALLOW+DENY | - | ListObjectVersions | non-existing | | | existing | does not apply | ALLOW | - | ListObjectVersions | non-existing | | | non-existing | | | - | ListObjects | existing | applies | ALLOW | existing | applies | ALLOW | - | ListObjects | existing | applies | ALLOW | existing | applies | DENY | - | ListObjects | existing | applies | ALLOW | existing | applies | ALLOW+DENY | - | ListObjects | existing | applies | ALLOW | existing | does not apply | ALLOW | - | ListObjects | existing | applies | ALLOW | non-existing | | | - | ListObjects | existing | applies | DENY | existing | applies | ALLOW | - | ListObjects | existing | applies | DENY | existing | applies | DENY | - | ListObjects | existing | applies | DENY | existing | applies | ALLOW+DENY | - | ListObjects | existing | applies | DENY | existing | does not apply | ALLOW | - | ListObjects | existing | applies | DENY | non-existing | | | - | ListObjects | existing | does not apply | ALLOW | existing | applies | ALLOW | - | ListObjects | existing | does not apply | ALLOW | existing | applies | DENY | - | ListObjects | existing | does not apply | ALLOW | existing | applies | ALLOW+DENY | - | ListObjects | existing | does not apply | ALLOW | existing | does not apply | ALLOW | - | ListObjects | existing | does not apply | ALLOW | non-existing | | | - | ListObjects | non-existing | | | existing | applies | ALLOW | - | ListObjects | non-existing | | | existing | applies | DENY | - | ListObjects | non-existing | | | existing | applies | ALLOW+DENY | - | ListObjects | non-existing | | | existing | does not apply | ALLOW | - | ListObjects | non-existing | | | non-existing | | | - | ListObjectsV2 | existing | applies | ALLOW | existing | applies | ALLOW | - | ListObjectsV2 | existing | applies | ALLOW | existing | applies | DENY | - | ListObjectsV2 | existing | applies | ALLOW | existing | applies | ALLOW+DENY | - | ListObjectsV2 | existing | applies | ALLOW | existing | does not apply | ALLOW | - | ListObjectsV2 | existing | applies | ALLOW | non-existing | | | - | ListObjectsV2 | existing | applies | DENY | existing | applies | ALLOW | - | ListObjectsV2 | existing | applies | DENY | existing | applies | DENY | - | ListObjectsV2 | existing | applies | DENY | existing | applies | ALLOW+DENY | - | ListObjectsV2 | existing | applies | DENY | existing | does not apply | ALLOW | - | ListObjectsV2 | existing | applies | DENY | non-existing | | | - | ListObjectsV2 | existing | does not apply | ALLOW | existing | applies | ALLOW | - | ListObjectsV2 | existing | does not apply | ALLOW | existing | applies | DENY | - | ListObjectsV2 | existing | does not apply | ALLOW | existing | applies | ALLOW+DENY | - | ListObjectsV2 | existing | does not apply | ALLOW | existing | does not apply | ALLOW | - | ListObjectsV2 | existing | does not apply | ALLOW | non-existing | | | - | ListObjectsV2 | non-existing | | | existing | applies | ALLOW | - | ListObjectsV2 | non-existing | | | existing | applies | DENY | - | ListObjectsV2 | non-existing | | | existing | applies | ALLOW+DENY | - | ListObjectsV2 | non-existing | | | existing | does not apply | ALLOW | - | ListObjectsV2 | non-existing | | | non-existing | | | - | PutBucketAcl | existing | applies | ALLOW | existing | applies | ALLOW | - | PutBucketAcl | existing | applies | ALLOW | existing | applies | DENY | - | PutBucketAcl | existing | applies | ALLOW | existing | applies | ALLOW+DENY | - | PutBucketAcl | existing | applies | ALLOW | existing | does not apply | ALLOW | - | PutBucketAcl | existing | applies | ALLOW | non-existing | | | - | PutBucketAcl | existing | applies | DENY | existing | applies | ALLOW | - | PutBucketAcl | existing | applies | DENY | existing | applies | DENY | - | PutBucketAcl | existing | applies | DENY | existing | applies | ALLOW+DENY | - | PutBucketAcl | existing | applies | DENY | existing | does not apply | ALLOW | - | PutBucketAcl | existing | applies | DENY | non-existing | | | - | PutBucketAcl | existing | does not apply | ALLOW | existing | applies | ALLOW | - | PutBucketAcl | existing | does not apply | ALLOW | existing | applies | DENY | - | PutBucketAcl | existing | does not apply | ALLOW | existing | applies | ALLOW+DENY | - | PutBucketAcl | existing | does not apply | ALLOW | existing | does not apply | ALLOW | - | PutBucketAcl | existing | does not apply | ALLOW | non-existing | | | - | PutBucketAcl | non-existing | | | existing | applies | ALLOW | - | PutBucketAcl | non-existing | | | existing | applies | DENY | - | PutBucketAcl | non-existing | | | existing | applies | ALLOW+DENY | - | PutBucketAcl | non-existing | | | existing | does not apply | ALLOW | - | PutBucketAcl | non-existing | | | non-existing | | | - | PutBucketCors | existing | applies | ALLOW | existing | applies | ALLOW | - | PutBucketCors | existing | applies | ALLOW | existing | applies | DENY | - | PutBucketCors | existing | applies | ALLOW | existing | applies | ALLOW+DENY | - | PutBucketCors | existing | applies | ALLOW | existing | does not apply | ALLOW | - | PutBucketCors | existing | applies | ALLOW | non-existing | | | - | PutBucketCors | existing | applies | DENY | existing | applies | ALLOW | - | PutBucketCors | existing | applies | DENY | existing | applies | DENY | - | PutBucketCors | existing | applies | DENY | existing | applies | ALLOW+DENY | - | PutBucketCors | existing | applies | DENY | existing | does not apply | ALLOW | - | PutBucketCors | existing | applies | DENY | non-existing | | | - | PutBucketCors | existing | does not apply | ALLOW | existing | applies | ALLOW | - | PutBucketCors | existing | does not apply | ALLOW | existing | applies | DENY | - | PutBucketCors | existing | does not apply | ALLOW | existing | applies | ALLOW+DENY | - | PutBucketCors | existing | does not apply | ALLOW | existing | does not apply | ALLOW | - | PutBucketCors | existing | does not apply | ALLOW | non-existing | | | - | PutBucketCors | non-existing | | | existing | applies | ALLOW | - | PutBucketCors | non-existing | | | existing | applies | DENY | - | PutBucketCors | non-existing | | | existing | applies | ALLOW+DENY | - | PutBucketCors | non-existing | | | existing | does not apply | ALLOW | - | PutBucketCors | non-existing | | | non-existing | | | - | PutBucketEncryption | existing | applies | ALLOW | existing | applies | ALLOW | - | PutBucketEncryption | existing | applies | ALLOW | existing | applies | DENY | - | PutBucketEncryption | existing | applies | ALLOW | existing | applies | ALLOW+DENY | - | PutBucketEncryption | existing | applies | ALLOW | existing | does not apply | ALLOW | - | PutBucketEncryption | existing | applies | ALLOW | non-existing | | | - | PutBucketEncryption | existing | applies | DENY | existing | applies | ALLOW | - | PutBucketEncryption | existing | applies | DENY | existing | applies | DENY | - | PutBucketEncryption | existing | applies | DENY | existing | applies | ALLOW+DENY | - | PutBucketEncryption | existing | applies | DENY | existing | does not apply | ALLOW | - | PutBucketEncryption | existing | applies | DENY | non-existing | | | - | PutBucketEncryption | existing | does not apply | ALLOW | existing | applies | ALLOW | - | PutBucketEncryption | existing | does not apply | ALLOW | existing | applies | DENY | - | PutBucketEncryption | existing | does not apply | ALLOW | existing | applies | ALLOW+DENY | - | PutBucketEncryption | existing | does not apply | ALLOW | existing | does not apply | ALLOW | - | PutBucketEncryption | existing | does not apply | ALLOW | non-existing | | | - | PutBucketEncryption | non-existing | | | existing | applies | ALLOW | - | PutBucketEncryption | non-existing | | | existing | applies | DENY | - | PutBucketEncryption | non-existing | | | existing | applies | ALLOW+DENY | - | PutBucketEncryption | non-existing | | | existing | does not apply | ALLOW | - | PutBucketEncryption | non-existing | | | non-existing | | | - | PutBucketLifecycleConfiguration | existing | applies | ALLOW | existing | applies | ALLOW | - | PutBucketLifecycleConfiguration | existing | applies | ALLOW | existing | applies | DENY | - | PutBucketLifecycleConfiguration | existing | applies | ALLOW | existing | applies | ALLOW+DENY | - | PutBucketLifecycleConfiguration | existing | applies | ALLOW | existing | does not apply | ALLOW | - | PutBucketLifecycleConfiguration | existing | applies | ALLOW | non-existing | | | - | PutBucketLifecycleConfiguration | existing | applies | DENY | existing | applies | ALLOW | - | PutBucketLifecycleConfiguration | existing | applies | DENY | existing | applies | DENY | - | PutBucketLifecycleConfiguration | existing | applies | DENY | existing | applies | ALLOW+DENY | - | PutBucketLifecycleConfiguration | existing | applies | DENY | existing | does not apply | ALLOW | - | PutBucketLifecycleConfiguration | existing | applies | DENY | non-existing | | | - | PutBucketLifecycleConfiguration | existing | does not apply | ALLOW | existing | applies | ALLOW | - | PutBucketLifecycleConfiguration | existing | does not apply | ALLOW | existing | applies | DENY | - | PutBucketLifecycleConfiguration | existing | does not apply | ALLOW | existing | applies | ALLOW+DENY | - | PutBucketLifecycleConfiguration | existing | does not apply | ALLOW | existing | does not apply | ALLOW | - | PutBucketLifecycleConfiguration | existing | does not apply | ALLOW | non-existing | | | - | PutBucketLifecycleConfiguration | non-existing | | | existing | applies | ALLOW | - | PutBucketLifecycleConfiguration | non-existing | | | existing | applies | DENY | - | PutBucketLifecycleConfiguration | non-existing | | | existing | applies | ALLOW+DENY | - | PutBucketLifecycleConfiguration | non-existing | | | existing | does not apply | ALLOW | - | PutBucketLifecycleConfiguration | non-existing | | | non-existing | | | - | PutBucketNotificationConfiguration | existing | applies | ALLOW | existing | applies | ALLOW | - | PutBucketNotificationConfiguration | existing | applies | ALLOW | existing | applies | DENY | - | PutBucketNotificationConfiguration | existing | applies | ALLOW | existing | applies | ALLOW+DENY | - | PutBucketNotificationConfiguration | existing | applies | ALLOW | existing | does not apply | ALLOW | - | PutBucketNotificationConfiguration | existing | applies | ALLOW | non-existing | | | - | PutBucketNotificationConfiguration | existing | applies | DENY | existing | applies | ALLOW | - | PutBucketNotificationConfiguration | existing | applies | DENY | existing | applies | DENY | - | PutBucketNotificationConfiguration | existing | applies | DENY | existing | applies | ALLOW+DENY | - | PutBucketNotificationConfiguration | existing | applies | DENY | existing | does not apply | ALLOW | - | PutBucketNotificationConfiguration | existing | applies | DENY | non-existing | | | - | PutBucketNotificationConfiguration | existing | does not apply | ALLOW | existing | applies | ALLOW | - | PutBucketNotificationConfiguration | existing | does not apply | ALLOW | existing | applies | DENY | - | PutBucketNotificationConfiguration | existing | does not apply | ALLOW | existing | applies | ALLOW+DENY | - | PutBucketNotificationConfiguration | existing | does not apply | ALLOW | existing | does not apply | ALLOW | - | PutBucketNotificationConfiguration | existing | does not apply | ALLOW | non-existing | | | - | PutBucketNotificationConfiguration | non-existing | | | existing | applies | ALLOW | - | PutBucketNotificationConfiguration | non-existing | | | existing | applies | DENY | - | PutBucketNotificationConfiguration | non-existing | | | existing | applies | ALLOW+DENY | - | PutBucketNotificationConfiguration | non-existing | | | existing | does not apply | ALLOW | - | PutBucketNotificationConfiguration | non-existing | | | non-existing | | | - | PutBucketPolicy | existing | applies | ALLOW | existing | applies | ALLOW | - | PutBucketPolicy | existing | applies | ALLOW | existing | applies | DENY | - | PutBucketPolicy | existing | applies | ALLOW | existing | applies | ALLOW+DENY | - | PutBucketPolicy | existing | applies | ALLOW | existing | does not apply | ALLOW | - | PutBucketPolicy | existing | applies | ALLOW | non-existing | | | - | PutBucketPolicy | existing | applies | DENY | existing | applies | ALLOW | - | PutBucketPolicy | existing | applies | DENY | existing | applies | DENY | - | PutBucketPolicy | existing | applies | DENY | existing | applies | ALLOW+DENY | - | PutBucketPolicy | existing | applies | DENY | existing | does not apply | ALLOW | - | PutBucketPolicy | existing | applies | DENY | non-existing | | | - | PutBucketPolicy | existing | does not apply | ALLOW | existing | applies | ALLOW | - | PutBucketPolicy | existing | does not apply | ALLOW | existing | applies | DENY | - | PutBucketPolicy | existing | does not apply | ALLOW | existing | applies | ALLOW+DENY | - | PutBucketPolicy | existing | does not apply | ALLOW | existing | does not apply | ALLOW | - | PutBucketPolicy | existing | does not apply | ALLOW | non-existing | | | - | PutBucketPolicy | non-existing | | | existing | applies | ALLOW | - | PutBucketPolicy | non-existing | | | existing | applies | DENY | - | PutBucketPolicy | non-existing | | | existing | applies | ALLOW+DENY | - | PutBucketPolicy | non-existing | | | existing | does not apply | ALLOW | - | PutBucketPolicy | non-existing | | | non-existing | | | - | PutBucketReplication | existing | applies | ALLOW | existing | applies | ALLOW | - | PutBucketReplication | existing | applies | ALLOW | existing | applies | DENY | - | PutBucketReplication | existing | applies | ALLOW | existing | applies | ALLOW+DENY | - | PutBucketReplication | existing | applies | ALLOW | existing | does not apply | ALLOW | - | PutBucketReplication | existing | applies | ALLOW | non-existing | | | - | PutBucketReplication | existing | applies | DENY | existing | applies | ALLOW | - | PutBucketReplication | existing | applies | DENY | existing | applies | DENY | - | PutBucketReplication | existing | applies | DENY | existing | applies | ALLOW+DENY | - | PutBucketReplication | existing | applies | DENY | existing | does not apply | ALLOW | - | PutBucketReplication | existing | applies | DENY | non-existing | | | - | PutBucketReplication | existing | does not apply | ALLOW | existing | applies | ALLOW | - | PutBucketReplication | existing | does not apply | ALLOW | existing | applies | DENY | - | PutBucketReplication | existing | does not apply | ALLOW | existing | applies | ALLOW+DENY | - | PutBucketReplication | existing | does not apply | ALLOW | existing | does not apply | ALLOW | - | PutBucketReplication | existing | does not apply | ALLOW | non-existing | | | - | PutBucketReplication | non-existing | | | existing | applies | ALLOW | - | PutBucketReplication | non-existing | | | existing | applies | DENY | - | PutBucketReplication | non-existing | | | existing | applies | ALLOW+DENY | - | PutBucketReplication | non-existing | | | existing | does not apply | ALLOW | - | PutBucketReplication | non-existing | | | non-existing | | | - | PutBucketVersioning | existing | applies | ALLOW | existing | applies | ALLOW | - | PutBucketVersioning | existing | applies | ALLOW | existing | applies | DENY | - | PutBucketVersioning | existing | applies | ALLOW | existing | applies | ALLOW+DENY | - | PutBucketVersioning | existing | applies | ALLOW | existing | does not apply | ALLOW | - | PutBucketVersioning | existing | applies | ALLOW | non-existing | | | - | PutBucketVersioning | existing | applies | DENY | existing | applies | ALLOW | - | PutBucketVersioning | existing | applies | DENY | existing | applies | DENY | - | PutBucketVersioning | existing | applies | DENY | existing | applies | ALLOW+DENY | - | PutBucketVersioning | existing | applies | DENY | existing | does not apply | ALLOW | - | PutBucketVersioning | existing | applies | DENY | non-existing | | | - | PutBucketVersioning | existing | does not apply | ALLOW | existing | applies | ALLOW | - | PutBucketVersioning | existing | does not apply | ALLOW | existing | applies | DENY | - | PutBucketVersioning | existing | does not apply | ALLOW | existing | applies | ALLOW+DENY | - | PutBucketVersioning | existing | does not apply | ALLOW | existing | does not apply | ALLOW | - | PutBucketVersioning | existing | does not apply | ALLOW | non-existing | | | - | PutBucketVersioning | non-existing | | | existing | applies | ALLOW | - | PutBucketVersioning | non-existing | | | existing | applies | DENY | - | PutBucketVersioning | non-existing | | | existing | applies | ALLOW+DENY | - | PutBucketVersioning | non-existing | | | existing | does not apply | ALLOW | - | PutBucketVersioning | non-existing | | | non-existing | | | - | PutObject | existing | applies | ALLOW | existing | applies | ALLOW | - | PutObject | existing | applies | ALLOW | existing | applies | DENY | - | PutObject | existing | applies | ALLOW | existing | applies | ALLOW+DENY | - | PutObject | existing | applies | ALLOW | existing | does not apply | ALLOW | - | PutObject | existing | applies | ALLOW | non-existing | | | - | PutObject | existing | applies | DENY | existing | applies | ALLOW | - | PutObject | existing | applies | DENY | existing | applies | DENY | - | PutObject | existing | applies | DENY | existing | applies | ALLOW+DENY | - | PutObject | existing | applies | DENY | existing | does not apply | ALLOW | - | PutObject | existing | applies | DENY | non-existing | | | - | PutObject | existing | does not apply | ALLOW | existing | applies | ALLOW | - | PutObject | existing | does not apply | ALLOW | existing | applies | DENY | - | PutObject | existing | does not apply | ALLOW | existing | applies | ALLOW+DENY | - | PutObject | existing | does not apply | ALLOW | existing | does not apply | ALLOW | - | PutObject | existing | does not apply | ALLOW | non-existing | | | - | PutObject | non-existing | | | existing | applies | ALLOW | - | PutObject | non-existing | | | existing | applies | DENY | - | PutObject | non-existing | | | existing | applies | ALLOW+DENY | - | PutObject | non-existing | | | existing | does not apply | ALLOW | - | PutObject | non-existing | | | non-existing | | | - | PutObjectAcl | existing | applies | ALLOW | existing | applies | ALLOW | - | PutObjectAcl | existing | applies | ALLOW | existing | applies | DENY | - | PutObjectAcl | existing | applies | ALLOW | existing | applies | ALLOW+DENY | - | PutObjectAcl | existing | applies | ALLOW | existing | does not apply | ALLOW | - | PutObjectAcl | existing | applies | ALLOW | non-existing | | | - | PutObjectAcl | existing | applies | DENY | existing | applies | ALLOW | - | PutObjectAcl | existing | applies | DENY | existing | applies | DENY | - | PutObjectAcl | existing | applies | DENY | existing | applies | ALLOW+DENY | - | PutObjectAcl | existing | applies | DENY | existing | does not apply | ALLOW | - | PutObjectAcl | existing | applies | DENY | non-existing | | | - | PutObjectAcl | existing | does not apply | ALLOW | existing | applies | ALLOW | - | PutObjectAcl | existing | does not apply | ALLOW | existing | applies | DENY | - | PutObjectAcl | existing | does not apply | ALLOW | existing | applies | ALLOW+DENY | - | PutObjectAcl | existing | does not apply | ALLOW | existing | does not apply | ALLOW | - | PutObjectAcl | existing | does not apply | ALLOW | non-existing | | | - | PutObjectAcl | non-existing | | | existing | applies | ALLOW | - | PutObjectAcl | non-existing | | | existing | applies | DENY | - | PutObjectAcl | non-existing | | | existing | applies | ALLOW+DENY | - | PutObjectAcl | non-existing | | | existing | does not apply | ALLOW | - | PutObjectAcl | non-existing | | | non-existing | | | - | PutObjectLegalHold | existing | applies | ALLOW | existing | applies | ALLOW | - | PutObjectLegalHold | existing | applies | ALLOW | existing | applies | DENY | - | PutObjectLegalHold | existing | applies | ALLOW | existing | applies | ALLOW+DENY | - | PutObjectLegalHold | existing | applies | ALLOW | existing | does not apply | ALLOW | - | PutObjectLegalHold | existing | applies | ALLOW | non-existing | | | - | PutObjectLegalHold | existing | applies | DENY | existing | applies | ALLOW | - | PutObjectLegalHold | existing | applies | DENY | existing | applies | DENY | - | PutObjectLegalHold | existing | applies | DENY | existing | applies | ALLOW+DENY | - | PutObjectLegalHold | existing | applies | DENY | existing | does not apply | ALLOW | - | PutObjectLegalHold | existing | applies | DENY | non-existing | | | - | PutObjectLegalHold | existing | does not apply | ALLOW | existing | applies | ALLOW | - | PutObjectLegalHold | existing | does not apply | ALLOW | existing | applies | DENY | - | PutObjectLegalHold | existing | does not apply | ALLOW | existing | applies | ALLOW+DENY | - | PutObjectLegalHold | existing | does not apply | ALLOW | existing | does not apply | ALLOW | - | PutObjectLegalHold | existing | does not apply | ALLOW | non-existing | | | - | PutObjectLegalHold | non-existing | | | existing | applies | ALLOW | - | PutObjectLegalHold | non-existing | | | existing | applies | DENY | - | PutObjectLegalHold | non-existing | | | existing | applies | ALLOW+DENY | - | PutObjectLegalHold | non-existing | | | existing | does not apply | ALLOW | - | PutObjectLegalHold | non-existing | | | non-existing | | | - | PutObjectLockConfiguration | existing | applies | ALLOW | existing | applies | ALLOW | - | PutObjectLockConfiguration | existing | applies | ALLOW | existing | applies | DENY | - | PutObjectLockConfiguration | existing | applies | ALLOW | existing | applies | ALLOW+DENY | - | PutObjectLockConfiguration | existing | applies | ALLOW | existing | does not apply | ALLOW | - | PutObjectLockConfiguration | existing | applies | ALLOW | non-existing | | | - | PutObjectLockConfiguration | existing | applies | DENY | existing | applies | ALLOW | - | PutObjectLockConfiguration | existing | applies | DENY | existing | applies | DENY | - | PutObjectLockConfiguration | existing | applies | DENY | existing | applies | ALLOW+DENY | - | PutObjectLockConfiguration | existing | applies | DENY | existing | does not apply | ALLOW | - | PutObjectLockConfiguration | existing | applies | DENY | non-existing | | | - | PutObjectLockConfiguration | existing | does not apply | ALLOW | existing | applies | ALLOW | - | PutObjectLockConfiguration | existing | does not apply | ALLOW | existing | applies | DENY | - | PutObjectLockConfiguration | existing | does not apply | ALLOW | existing | applies | ALLOW+DENY | - | PutObjectLockConfiguration | existing | does not apply | ALLOW | existing | does not apply | ALLOW | - | PutObjectLockConfiguration | existing | does not apply | ALLOW | non-existing | | | - | PutObjectLockConfiguration | non-existing | | | existing | applies | ALLOW | - | PutObjectLockConfiguration | non-existing | | | existing | applies | DENY | - | PutObjectLockConfiguration | non-existing | | | existing | applies | ALLOW+DENY | - | PutObjectLockConfiguration | non-existing | | | existing | does not apply | ALLOW | - | PutObjectLockConfiguration | non-existing | | | non-existing | | | - | PutObjectRetention | existing | applies | ALLOW | existing | applies | ALLOW | - | PutObjectRetention | existing | applies | ALLOW | existing | applies | DENY | - | PutObjectRetention | existing | applies | ALLOW | existing | applies | ALLOW+DENY | - | PutObjectRetention | existing | applies | ALLOW | existing | does not apply | ALLOW | - | PutObjectRetention | existing | applies | ALLOW | non-existing | | | - | PutObjectRetention | existing | applies | DENY | existing | applies | ALLOW | - | PutObjectRetention | existing | applies | DENY | existing | applies | DENY | - | PutObjectRetention | existing | applies | DENY | existing | applies | ALLOW+DENY | - | PutObjectRetention | existing | applies | DENY | existing | does not apply | ALLOW | - | PutObjectRetention | existing | applies | DENY | non-existing | | | - | PutObjectRetention | existing | does not apply | ALLOW | existing | applies | ALLOW | - | PutObjectRetention | existing | does not apply | ALLOW | existing | applies | DENY | - | PutObjectRetention | existing | does not apply | ALLOW | existing | applies | ALLOW+DENY | - | PutObjectRetention | existing | does not apply | ALLOW | existing | does not apply | ALLOW | - | PutObjectRetention | existing | does not apply | ALLOW | non-existing | | | - | PutObjectRetention | non-existing | | | existing | applies | ALLOW | - | PutObjectRetention | non-existing | | | existing | applies | DENY | - | PutObjectRetention | non-existing | | | existing | applies | ALLOW+DENY | - | PutObjectRetention | non-existing | | | existing | does not apply | ALLOW | - | PutObjectRetention | non-existing | | | non-existing | | | - | PutBucketTagging | existing | applies | ALLOW | existing | applies | ALLOW | - | PutBucketTagging | existing | applies | ALLOW | existing | applies | DENY | - | PutBucketTagging | existing | applies | ALLOW | existing | applies | ALLOW+DENY | - | PutBucketTagging | existing | applies | ALLOW | existing | does not apply | ALLOW | - | PutBucketTagging | existing | applies | ALLOW | non-existing | | | - | PutBucketTagging | existing | applies | DENY | existing | applies | ALLOW | - | PutBucketTagging | existing | applies | DENY | existing | applies | DENY | - | PutBucketTagging | existing | applies | DENY | existing | applies | ALLOW+DENY | - | PutBucketTagging | existing | applies | DENY | existing | does not apply | ALLOW | - | PutBucketTagging | existing | applies | DENY | non-existing | | | - | PutBucketTagging | existing | does not apply | ALLOW | existing | applies | ALLOW | - | PutBucketTagging | existing | does not apply | ALLOW | existing | applies | DENY | - | PutBucketTagging | existing | does not apply | ALLOW | existing | applies | ALLOW+DENY | - | PutBucketTagging | existing | does not apply | ALLOW | existing | does not apply | ALLOW | - | PutBucketTagging | existing | does not apply | ALLOW | non-existing | | | - | PutBucketTagging | non-existing | | | existing | applies | ALLOW | - | PutBucketTagging | non-existing | | | existing | applies | DENY | - | PutBucketTagging | non-existing | | | existing | applies | ALLOW+DENY | - | PutBucketTagging | non-existing | | | existing | does not apply | ALLOW | - | PutBucketTagging | non-existing | | | non-existing | | | - | PutObjectTagging | existing | applies | ALLOW | existing | applies | ALLOW | - | PutObjectTagging | existing | applies | ALLOW | existing | applies | DENY | - | PutObjectTagging | existing | applies | ALLOW | existing | applies | ALLOW+DENY | - | PutObjectTagging | existing | applies | ALLOW | existing | does not apply | ALLOW | - | PutObjectTagging | existing | applies | ALLOW | non-existing | | | - | PutObjectTagging | existing | applies | DENY | existing | applies | ALLOW | - | PutObjectTagging | existing | applies | DENY | existing | applies | DENY | - | PutObjectTagging | existing | applies | DENY | existing | applies | ALLOW+DENY | - | PutObjectTagging | existing | applies | DENY | existing | does not apply | ALLOW | - | PutObjectTagging | existing | applies | DENY | non-existing | | | - | PutObjectTagging | existing | does not apply | ALLOW | existing | applies | ALLOW | - | PutObjectTagging | existing | does not apply | ALLOW | existing | applies | DENY | - | PutObjectTagging | existing | does not apply | ALLOW | existing | applies | ALLOW+DENY | - | PutObjectTagging | existing | does not apply | ALLOW | existing | does not apply | ALLOW | - | PutObjectTagging | existing | does not apply | ALLOW | non-existing | | | - | PutObjectTagging | non-existing | | | existing | applies | ALLOW | - | PutObjectTagging | non-existing | | | existing | applies | DENY | - | PutObjectTagging | non-existing | | | existing | applies | ALLOW+DENY | - | PutObjectTagging | non-existing | | | existing | does not apply | ALLOW | - | PutObjectTagging | non-existing | | | non-existing | | | - | UploadPart | existing | applies | ALLOW | existing | applies | ALLOW | - | UploadPart | existing | applies | ALLOW | existing | applies | DENY | - | UploadPart | existing | applies | ALLOW | existing | applies | ALLOW+DENY | - | UploadPart | existing | applies | ALLOW | existing | does not apply | ALLOW | - | UploadPart | existing | applies | ALLOW | non-existing | | | - | UploadPart | existing | applies | DENY | existing | applies | ALLOW | - | UploadPart | existing | applies | DENY | existing | applies | DENY | - | UploadPart | existing | applies | DENY | existing | applies | ALLOW+DENY | - | UploadPart | existing | applies | DENY | existing | does not apply | ALLOW | - | UploadPart | existing | applies | DENY | non-existing | | | - | UploadPart | existing | does not apply | ALLOW | existing | applies | ALLOW | - | UploadPart | existing | does not apply | ALLOW | existing | applies | DENY | - | UploadPart | existing | does not apply | ALLOW | existing | applies | ALLOW+DENY | - | UploadPart | existing | does not apply | ALLOW | existing | does not apply | ALLOW | - | UploadPart | existing | does not apply | ALLOW | non-existing | | | - | UploadPart | non-existing | | | existing | applies | ALLOW | - | UploadPart | non-existing | | | existing | applies | DENY | - | UploadPart | non-existing | | | existing | applies | ALLOW+DENY | - | UploadPart | non-existing | | | existing | does not apply | ALLOW | - | UploadPart | non-existing | | | non-existing | | | - | UploadPartCopy | existing | applies | ALLOW | existing | applies | ALLOW | - | UploadPartCopy | existing | applies | ALLOW | existing | applies | DENY | - | UploadPartCopy | existing | applies | ALLOW | existing | applies | ALLOW+DENY | - | UploadPartCopy | existing | applies | ALLOW | existing | does not apply | ALLOW | - | UploadPartCopy | existing | applies | ALLOW | non-existing | | | - | UploadPartCopy | existing | applies | DENY | existing | applies | ALLOW | - | UploadPartCopy | existing | applies | DENY | existing | applies | DENY | - | UploadPartCopy | existing | applies | DENY | existing | applies | ALLOW+DENY | - | UploadPartCopy | existing | applies | DENY | existing | does not apply | ALLOW | - | UploadPartCopy | existing | applies | DENY | non-existing | | | - | UploadPartCopy | existing | does not apply | ALLOW | existing | applies | ALLOW | - | UploadPartCopy | existing | does not apply | ALLOW | existing | applies | DENY | - | UploadPartCopy | existing | does not apply | ALLOW | existing | applies | ALLOW+DENY | - | UploadPartCopy | existing | does not apply | ALLOW | existing | does not apply | ALLOW | - | UploadPartCopy | existing | does not apply | ALLOW | non-existing | | | - | UploadPartCopy | non-existing | | | existing | applies | ALLOW | - | UploadPartCopy | non-existing | | | existing | applies | DENY | - | UploadPartCopy | non-existing | | | existing | applies | ALLOW+DENY | - | UploadPartCopy | non-existing | | | existing | does not apply | ALLOW | - | UploadPartCopy | non-existing | | | non-existing | | | - | DeleteObjectVersion | existing | applies | ALLOW | existing | applies | ALLOW | - | DeleteObjectVersion | existing | applies | ALLOW | existing | applies | DENY | - | DeleteObjectVersion | existing | applies | ALLOW | existing | applies | ALLOW+DENY | - | DeleteObjectVersion | existing | applies | ALLOW | existing | does not apply | ALLOW | - | DeleteObjectVersion | existing | applies | ALLOW | non-existing | | | - | DeleteObjectVersion | existing | applies | DENY | existing | applies | ALLOW | - | DeleteObjectVersion | existing | applies | DENY | existing | applies | DENY | - | DeleteObjectVersion | existing | applies | DENY | existing | applies | ALLOW+DENY | - | DeleteObjectVersion | existing | applies | DENY | existing | does not apply | ALLOW | - | DeleteObjectVersion | existing | applies | DENY | non-existing | | | - | DeleteObjectVersion | existing | does not apply | ALLOW | existing | applies | ALLOW | - | DeleteObjectVersion | existing | does not apply | ALLOW | existing | applies | DENY | - | DeleteObjectVersion | existing | does not apply | ALLOW | existing | applies | ALLOW+DENY | - | DeleteObjectVersion | existing | does not apply | ALLOW | existing | does not apply | ALLOW | - | DeleteObjectVersion | existing | does not apply | ALLOW | non-existing | | | - | DeleteObjectVersion | non-existing | | | existing | applies | ALLOW | - | DeleteObjectVersion | non-existing | | | existing | applies | DENY | - | DeleteObjectVersion | non-existing | | | existing | applies | ALLOW+DENY | - | DeleteObjectVersion | non-existing | | | existing | does not apply | ALLOW | - | DeleteObjectVersion | non-existing | | | non-existing | | | - | DeleteObjectVersionTagging | existing | applies | ALLOW | existing | applies | ALLOW | - | DeleteObjectVersionTagging | existing | applies | ALLOW | existing | applies | DENY | - | DeleteObjectVersionTagging | existing | applies | ALLOW | existing | applies | ALLOW+DENY | - | DeleteObjectVersionTagging | existing | applies | ALLOW | existing | does not apply | ALLOW | - | DeleteObjectVersionTagging | existing | applies | ALLOW | non-existing | | | - | DeleteObjectVersionTagging | existing | applies | DENY | existing | applies | ALLOW | - | DeleteObjectVersionTagging | existing | applies | DENY | existing | applies | DENY | - | DeleteObjectVersionTagging | existing | applies | DENY | existing | applies | ALLOW+DENY | - | DeleteObjectVersionTagging | existing | applies | DENY | existing | does not apply | ALLOW | - | DeleteObjectVersionTagging | existing | applies | DENY | non-existing | | | - | DeleteObjectVersionTagging | existing | does not apply | ALLOW | existing | applies | ALLOW | - | DeleteObjectVersionTagging | existing | does not apply | ALLOW | existing | applies | DENY | - | DeleteObjectVersionTagging | existing | does not apply | ALLOW | existing | applies | ALLOW+DENY | - | DeleteObjectVersionTagging | existing | does not apply | ALLOW | existing | does not apply | ALLOW | - | DeleteObjectVersionTagging | existing | does not apply | ALLOW | non-existing | | | - | DeleteObjectVersionTagging | non-existing | | | existing | applies | ALLOW | - | DeleteObjectVersionTagging | non-existing | | | existing | applies | DENY | - | DeleteObjectVersionTagging | non-existing | | | existing | applies | ALLOW+DENY | - | DeleteObjectVersionTagging | non-existing | | | existing | does not apply | ALLOW | - | DeleteObjectVersionTagging | non-existing | | | non-existing | | | - | GetObjectVersion | existing | applies | ALLOW | existing | applies | ALLOW | - | GetObjectVersion | existing | applies | ALLOW | existing | applies | DENY | - | GetObjectVersion | existing | applies | ALLOW | existing | applies | ALLOW+DENY | - | GetObjectVersion | existing | applies | ALLOW | existing | does not apply | ALLOW | - | GetObjectVersion | existing | applies | ALLOW | non-existing | | | - | GetObjectVersion | existing | applies | DENY | existing | applies | ALLOW | - | GetObjectVersion | existing | applies | DENY | existing | applies | DENY | - | GetObjectVersion | existing | applies | DENY | existing | applies | ALLOW+DENY | - | GetObjectVersion | existing | applies | DENY | existing | does not apply | ALLOW | - | GetObjectVersion | existing | applies | DENY | non-existing | | | - | GetObjectVersion | existing | does not apply | ALLOW | existing | applies | ALLOW | - | GetObjectVersion | existing | does not apply | ALLOW | existing | applies | DENY | - | GetObjectVersion | existing | does not apply | ALLOW | existing | applies | ALLOW+DENY | - | GetObjectVersion | existing | does not apply | ALLOW | existing | does not apply | ALLOW | - | GetObjectVersion | existing | does not apply | ALLOW | non-existing | | | - | GetObjectVersion | non-existing | | | existing | applies | ALLOW | - | GetObjectVersion | non-existing | | | existing | applies | DENY | - | GetObjectVersion | non-existing | | | existing | applies | ALLOW+DENY | - | GetObjectVersion | non-existing | | | existing | does not apply | ALLOW | - | GetObjectVersion | non-existing | | | non-existing | | | - | GetObjectVersionAcl | existing | applies | ALLOW | existing | applies | ALLOW | - | GetObjectVersionAcl | existing | applies | ALLOW | existing | applies | DENY | - | GetObjectVersionAcl | existing | applies | ALLOW | existing | applies | ALLOW+DENY | - | GetObjectVersionAcl | existing | applies | ALLOW | existing | does not apply | ALLOW | - | GetObjectVersionAcl | existing | applies | ALLOW | non-existing | | | - | GetObjectVersionAcl | existing | applies | DENY | existing | applies | ALLOW | - | GetObjectVersionAcl | existing | applies | DENY | existing | applies | DENY | - | GetObjectVersionAcl | existing | applies | DENY | existing | applies | ALLOW+DENY | - | GetObjectVersionAcl | existing | applies | DENY | existing | does not apply | ALLOW | - | GetObjectVersionAcl | existing | applies | DENY | non-existing | | | - | GetObjectVersionAcl | existing | does not apply | ALLOW | existing | applies | ALLOW | - | GetObjectVersionAcl | existing | does not apply | ALLOW | existing | applies | DENY | - | GetObjectVersionAcl | existing | does not apply | ALLOW | existing | applies | ALLOW+DENY | - | GetObjectVersionAcl | existing | does not apply | ALLOW | existing | does not apply | ALLOW | - | GetObjectVersionAcl | existing | does not apply | ALLOW | non-existing | | | - | GetObjectVersionAcl | non-existing | | | existing | applies | ALLOW | - | GetObjectVersionAcl | non-existing | | | existing | applies | DENY | - | GetObjectVersionAcl | non-existing | | | existing | applies | ALLOW+DENY | - | GetObjectVersionAcl | non-existing | | | existing | does not apply | ALLOW | - | GetObjectVersionAcl | non-existing | | | non-existing | | | - | GetObjectVersionTagging | existing | applies | ALLOW | existing | applies | ALLOW | - | GetObjectVersionTagging | existing | applies | ALLOW | existing | applies | DENY | - | GetObjectVersionTagging | existing | applies | ALLOW | existing | applies | ALLOW+DENY | - | GetObjectVersionTagging | existing | applies | ALLOW | existing | does not apply | ALLOW | - | GetObjectVersionTagging | existing | applies | ALLOW | non-existing | | | - | GetObjectVersionTagging | existing | applies | DENY | existing | applies | ALLOW | - | GetObjectVersionTagging | existing | applies | DENY | existing | applies | DENY | - | GetObjectVersionTagging | existing | applies | DENY | existing | applies | ALLOW+DENY | - | GetObjectVersionTagging | existing | applies | DENY | existing | does not apply | ALLOW | - | GetObjectVersionTagging | existing | applies | DENY | non-existing | | | - | GetObjectVersionTagging | existing | does not apply | ALLOW | existing | applies | ALLOW | - | GetObjectVersionTagging | existing | does not apply | ALLOW | existing | applies | DENY | - | GetObjectVersionTagging | existing | does not apply | ALLOW | existing | applies | ALLOW+DENY | - | GetObjectVersionTagging | existing | does not apply | ALLOW | existing | does not apply | ALLOW | - | GetObjectVersionTagging | existing | does not apply | ALLOW | non-existing | | | - | GetObjectVersionTagging | non-existing | | | existing | applies | ALLOW | - | GetObjectVersionTagging | non-existing | | | existing | applies | DENY | - | GetObjectVersionTagging | non-existing | | | existing | applies | ALLOW+DENY | - | GetObjectVersionTagging | non-existing | | | existing | does not apply | ALLOW | - | GetObjectVersionTagging | non-existing | | | non-existing | | | - | PutObjectVersionAcl | existing | applies | ALLOW | existing | applies | ALLOW | - | PutObjectVersionAcl | existing | applies | ALLOW | existing | applies | DENY | - | PutObjectVersionAcl | existing | applies | ALLOW | existing | applies | ALLOW+DENY | - | PutObjectVersionAcl | existing | applies | ALLOW | existing | does not apply | ALLOW | - | PutObjectVersionAcl | existing | applies | ALLOW | non-existing | | | - | PutObjectVersionAcl | existing | applies | DENY | existing | applies | ALLOW | - | PutObjectVersionAcl | existing | applies | DENY | existing | applies | DENY | - | PutObjectVersionAcl | existing | applies | DENY | existing | applies | ALLOW+DENY | - | PutObjectVersionAcl | existing | applies | DENY | existing | does not apply | ALLOW | - | PutObjectVersionAcl | existing | applies | DENY | non-existing | | | - | PutObjectVersionAcl | existing | does not apply | ALLOW | existing | applies | ALLOW | - | PutObjectVersionAcl | existing | does not apply | ALLOW | existing | applies | DENY | - | PutObjectVersionAcl | existing | does not apply | ALLOW | existing | applies | ALLOW+DENY | - | PutObjectVersionAcl | existing | does not apply | ALLOW | existing | does not apply | ALLOW | - | PutObjectVersionAcl | existing | does not apply | ALLOW | non-existing | | | - | PutObjectVersionAcl | non-existing | | | existing | applies | ALLOW | - | PutObjectVersionAcl | non-existing | | | existing | applies | DENY | - | PutObjectVersionAcl | non-existing | | | existing | applies | ALLOW+DENY | - | PutObjectVersionAcl | non-existing | | | existing | does not apply | ALLOW | - | PutObjectVersionAcl | non-existing | | | non-existing | | | - | PutObjectVersionTagging | existing | applies | ALLOW | existing | applies | ALLOW | - | PutObjectVersionTagging | existing | applies | ALLOW | existing | applies | DENY | - | PutObjectVersionTagging | existing | applies | ALLOW | existing | applies | ALLOW+DENY | - | PutObjectVersionTagging | existing | applies | ALLOW | existing | does not apply | ALLOW | - | PutObjectVersionTagging | existing | applies | ALLOW | non-existing | | | - | PutObjectVersionTagging | existing | applies | DENY | existing | applies | ALLOW | - | PutObjectVersionTagging | existing | applies | DENY | existing | applies | DENY | - | PutObjectVersionTagging | existing | applies | DENY | existing | applies | ALLOW+DENY | - | PutObjectVersionTagging | existing | applies | DENY | existing | does not apply | ALLOW | - | PutObjectVersionTagging | existing | applies | DENY | non-existing | | | - | PutObjectVersionTagging | existing | does not apply | ALLOW | existing | applies | ALLOW | - | PutObjectVersionTagging | existing | does not apply | ALLOW | existing | applies | DENY | - | PutObjectVersionTagging | existing | does not apply | ALLOW | existing | applies | ALLOW+DENY | - | PutObjectVersionTagging | existing | does not apply | ALLOW | existing | does not apply | ALLOW | - | PutObjectVersionTagging | existing | does not apply | ALLOW | non-existing | | | - | PutObjectVersionTagging | non-existing | | | existing | applies | ALLOW | - | PutObjectVersionTagging | non-existing | | | existing | applies | DENY | - | PutObjectVersionTagging | non-existing | | | existing | applies | ALLOW+DENY | - | PutObjectVersionTagging | non-existing | | | existing | does not apply | ALLOW | - | PutObjectVersionTagging | non-existing | | | non-existing | | | - | PutObjectVersionRetention | existing | applies | ALLOW | existing | applies | ALLOW | - | PutObjectVersionRetention | existing | applies | ALLOW | existing | applies | DENY | - | PutObjectVersionRetention | existing | applies | ALLOW | existing | applies | ALLOW+DENY | - | PutObjectVersionRetention | existing | applies | ALLOW | existing | does not apply | ALLOW | - | PutObjectVersionRetention | existing | applies | ALLOW | non-existing | | | - | PutObjectVersionRetention | existing | applies | DENY | existing | applies | ALLOW | - | PutObjectVersionRetention | existing | applies | DENY | existing | applies | DENY | - | PutObjectVersionRetention | existing | applies | DENY | existing | applies | ALLOW+DENY | - | PutObjectVersionRetention | existing | applies | DENY | existing | does not apply | ALLOW | - | PutObjectVersionRetention | existing | applies | DENY | non-existing | | | - | PutObjectVersionRetention | existing | does not apply | ALLOW | existing | applies | ALLOW | - | PutObjectVersionRetention | existing | does not apply | ALLOW | existing | applies | DENY | - | PutObjectVersionRetention | existing | does not apply | ALLOW | existing | applies | ALLOW+DENY | - | PutObjectVersionRetention | existing | does not apply | ALLOW | existing | does not apply | ALLOW | - | PutObjectVersionRetention | existing | does not apply | ALLOW | non-existing | | | - | PutObjectVersionRetention | non-existing | | | existing | applies | ALLOW | - | PutObjectVersionRetention | non-existing | | | existing | applies | DENY | - | PutObjectVersionRetention | non-existing | | | existing | applies | ALLOW+DENY | - | PutObjectVersionRetention | non-existing | | | existing | does not apply | ALLOW | - | PutObjectVersionRetention | non-existing | | | non-existing | | | - | PutObjectVersionLegalHold | existing | applies | ALLOW | existing | applies | ALLOW | - | PutObjectVersionLegalHold | existing | applies | ALLOW | existing | applies | DENY | - | PutObjectVersionLegalHold | existing | applies | ALLOW | existing | applies | ALLOW+DENY | - | PutObjectVersionLegalHold | existing | applies | ALLOW | existing | does not apply | ALLOW | - | PutObjectVersionLegalHold | existing | applies | ALLOW | non-existing | | | - | PutObjectVersionLegalHold | existing | applies | DENY | existing | applies | ALLOW | - | PutObjectVersionLegalHold | existing | applies | DENY | existing | applies | DENY | - | PutObjectVersionLegalHold | existing | applies | DENY | existing | applies | ALLOW+DENY | - | PutObjectVersionLegalHold | existing | applies | DENY | existing | does not apply | ALLOW | - | PutObjectVersionLegalHold | existing | applies | DENY | non-existing | | | - | PutObjectVersionLegalHold | existing | does not apply | ALLOW | existing | applies | ALLOW | - | PutObjectVersionLegalHold | existing | does not apply | ALLOW | existing | applies | DENY | - | PutObjectVersionLegalHold | existing | does not apply | ALLOW | existing | applies | ALLOW+DENY | - | PutObjectVersionLegalHold | existing | does not apply | ALLOW | existing | does not apply | ALLOW | - | PutObjectVersionLegalHold | existing | does not apply | ALLOW | non-existing | | | - | PutObjectVersionLegalHold | non-existing | | | existing | applies | ALLOW | - | PutObjectVersionLegalHold | non-existing | | | existing | applies | DENY | - | PutObjectVersionLegalHold | non-existing | | | existing | applies | ALLOW+DENY | - | PutObjectVersionLegalHold | non-existing | | | existing | does not apply | ALLOW | - | PutObjectVersionLegalHold | non-existing | | | non-existing | | | - | MetadataSearch | existing | applies | ALLOW | existing | applies | ALLOW | - | MetadataSearch | existing | applies | ALLOW | existing | applies | DENY | - | MetadataSearch | existing | applies | ALLOW | existing | applies | ALLOW+DENY | - | MetadataSearch | existing | applies | ALLOW | existing | does not apply | ALLOW | - | MetadataSearch | existing | applies | ALLOW | non-existing | | | - | MetadataSearch | existing | applies | DENY | existing | applies | ALLOW | - | MetadataSearch | existing | applies | DENY | existing | applies | DENY | - | MetadataSearch | existing | applies | DENY | existing | applies | ALLOW+DENY | - | MetadataSearch | existing | applies | DENY | existing | does not apply | ALLOW | - | MetadataSearch | existing | applies | DENY | non-existing | | | - | MetadataSearch | existing | does not apply | ALLOW | existing | applies | ALLOW | - | MetadataSearch | existing | does not apply | ALLOW | existing | applies | DENY | - | MetadataSearch | existing | does not apply | ALLOW | existing | applies | ALLOW+DENY | - | MetadataSearch | existing | does not apply | ALLOW | existing | does not apply | ALLOW | - | MetadataSearch | existing | does not apply | ALLOW | non-existing | | | - | MetadataSearch | non-existing | | | existing | applies | ALLOW | - | MetadataSearch | non-existing | | | existing | applies | DENY | - | MetadataSearch | non-existing | | | existing | applies | ALLOW+DENY | - | MetadataSearch | non-existing | | | existing | does not apply | ALLOW | - | MetadataSearch | non-existing | | | non-existing | | | diff --git a/tests/ctst/features/resource-policies/Conditions.feature b/tests/ctst/features/resource-policies/Conditions.feature deleted file mode 100644 index 90795c8211..0000000000 --- a/tests/ctst/features/resource-policies/Conditions.feature +++ /dev/null @@ -1,52 +0,0 @@ -Feature: S3 Bucket Policies Conditions - Bucket policies conditions controls when a policy is in effect. They are independent - from the API(s) being called. They are used to control the effect of the policy - based on the context of the request. For example, you can use conditions to - control access to a bucket based on the IP address of the requestor. - - @2.6.0 - @PreMerge - @BucketPolicies - @BucketPoliciesConditions - Scenario Outline: Bucket policies with IP address conditions - Given an action "GetObject" - And an existing bucket prepared for the action - And a IAM_USER type - And an environment setup for the API - And an "non-existing" IAM Policy that "" with "" effect for the current API - And a condition for the bucket policy with "" "" "" expecting "" - And an "existing" S3 Bucket Policy that "applies" with "ALLOW" effect for the current API - When the user tries to perform the current S3 action on the bucket - Then the authorization result is correct - Examples: - | conditionVerb | conditionType | conditionValue | expect | - | IpAddress | aws:SourceIp | 0.0.0.0/0 | Allow | - | NotIpAddress | aws:SourceIp | 10.0.1.0 | Allow | - | IpAddress | aws:SourceIp | 192.0.0.1 | Deny | - | IpAddress | aws:SourceIp | 0.0.0.0/0,10.0.2.0 | Allow | - | IpAddress | aws:SourceIp | 192.0.0.1,10.0.2.0 | Deny | - | NotIpAddress | aws:SourceIp | 0.0.0.0/0,10.0.2.0 | Deny | - | NotIpAddress | aws:SourceIp | 192.0.0.1,10.0.2.0 | Allow | - - @2.6.0 - @PreMerge - @BucketPolicies - @BucketPoliciesConditions - Scenario Outline: Bucket policies with retention days conditions - Given an action "PutObjectRetention" - And an existing bucket prepared for the action - And a IAM_USER type - And an environment setup for the API - And an "non-existing" IAM Policy that "" with "" effect for the current API - And a condition for the bucket policy with "" "" "" expecting "" - And an "existing" S3 Bucket Policy that "applies" with "ALLOW" effect for the current API - And a retention date set to "" days - When the user tries to perform the current S3 action on the bucket - Then the authorization result is correct - Examples: - | conditionVerb | conditionType | retentionDate | conditionValue | expect | - | NumericLessThanEquals | s3:object-lock-remaining-retention-days | 80 | 100 | Allow | - | NumericGreaterThan | s3:object-lock-remaining-retention-days | 80 | 100 | Deny | - | NumericEquals | s3:object-lock-remaining-retention-days | 100 | 100 | Allow | - | NumericGreaterThan | s3:object-lock-remaining-retention-days | 200 | 100 | Allow | - | NumericLessThan | s3:object-lock-remaining-retention-days | 200 | 100 | Deny | diff --git a/tests/ctst/features/resource-policies/CrossAccountAssumeRole.feature b/tests/ctst/features/resource-policies/CrossAccountAssumeRole.feature deleted file mode 100644 index 5c9e12fbfd..0000000000 --- a/tests/ctst/features/resource-policies/CrossAccountAssumeRole.feature +++ /dev/null @@ -1,1283 +0,0 @@ -Feature: S3 Bucket Policies Authorization flow for IAM Assume Roles (cross account) - This feature allows you to create and attach bucket policies to S3 buckets. - IAM Users should have the permissions to perform the actions that they are granted in their bucket policies - based on the other permissions they also have from their role. - This test suite is not meant to be human-readable, but brings confidence in our Authz flow for all supported - S3 actions. - - @2.6.0 - @PreMerge - @BucketPolicies - @BP-ASSUME_ROLE_USER_CROSS_ACCOUNT - Scenario Outline: ASSUME ROLE CROSS ACCOUNT: IAM Policy and S3 Bucket Policy - Given an action "" - And an existing bucket prepared for the action - And a ASSUME_ROLE_USER_CROSS_ACCOUNT type - And an environment setup for the API - And an "" IAM Policy that "" with "" effect for the current API - And an "" S3 Bucket Policy that "" with "" effect for the current API - When the user tries to perform the current S3 action on the bucket - Then the authorization result is correct - Examples: - | action | bucketPolicyExists | bucketPolicyApplies | bucketPolicyEffect | iamPolicyExists | iamPolicyApplies | iamPolicyEffect | - # Everything below is generated - | AbortMultipartUpload | existing | applies | ALLOW | existing | applies | ALLOW | - | AbortMultipartUpload | existing | applies | ALLOW | existing | applies | DENY | - | AbortMultipartUpload | existing | applies | ALLOW | existing | applies | ALLOW+DENY | - | AbortMultipartUpload | existing | applies | ALLOW | existing | does not apply | ALLOW | - | AbortMultipartUpload | existing | applies | ALLOW | non-existing | | | - | AbortMultipartUpload | existing | applies | DENY | existing | applies | ALLOW | - | AbortMultipartUpload | existing | applies | DENY | existing | applies | DENY | - | AbortMultipartUpload | existing | applies | DENY | existing | applies | ALLOW+DENY | - | AbortMultipartUpload | existing | applies | DENY | existing | does not apply | ALLOW | - | AbortMultipartUpload | existing | applies | DENY | non-existing | | | - | AbortMultipartUpload | existing | does not apply | ALLOW | existing | applies | ALLOW | - | AbortMultipartUpload | existing | does not apply | ALLOW | existing | applies | DENY | - | AbortMultipartUpload | existing | does not apply | ALLOW | existing | applies | ALLOW+DENY | - | AbortMultipartUpload | existing | does not apply | ALLOW | existing | does not apply | ALLOW | - | AbortMultipartUpload | existing | does not apply | ALLOW | non-existing | | | - | AbortMultipartUpload | non-existing | | | existing | applies | ALLOW | - | AbortMultipartUpload | non-existing | | | existing | applies | DENY | - | AbortMultipartUpload | non-existing | | | existing | applies | ALLOW+DENY | - | AbortMultipartUpload | non-existing | | | existing | does not apply | ALLOW | - | AbortMultipartUpload | non-existing | | | non-existing | | | - | CompleteMultipartUpload | existing | applies | ALLOW | existing | applies | ALLOW | - | CompleteMultipartUpload | existing | applies | ALLOW | existing | applies | DENY | - | CompleteMultipartUpload | existing | applies | ALLOW | existing | applies | ALLOW+DENY | - | CompleteMultipartUpload | existing | applies | ALLOW | existing | does not apply | ALLOW | - | CompleteMultipartUpload | existing | applies | ALLOW | non-existing | | | - | CompleteMultipartUpload | existing | applies | DENY | existing | applies | ALLOW | - | CompleteMultipartUpload | existing | applies | DENY | existing | applies | DENY | - | CompleteMultipartUpload | existing | applies | DENY | existing | applies | ALLOW+DENY | - | CompleteMultipartUpload | existing | applies | DENY | existing | does not apply | ALLOW | - | CompleteMultipartUpload | existing | applies | DENY | non-existing | | | - | CompleteMultipartUpload | existing | does not apply | ALLOW | existing | applies | ALLOW | - | CompleteMultipartUpload | existing | does not apply | ALLOW | existing | applies | DENY | - | CompleteMultipartUpload | existing | does not apply | ALLOW | existing | applies | ALLOW+DENY | - | CompleteMultipartUpload | existing | does not apply | ALLOW | existing | does not apply | ALLOW | - | CompleteMultipartUpload | existing | does not apply | ALLOW | non-existing | | | - | CompleteMultipartUpload | non-existing | | | existing | applies | ALLOW | - | CompleteMultipartUpload | non-existing | | | existing | applies | DENY | - | CompleteMultipartUpload | non-existing | | | existing | applies | ALLOW+DENY | - | CompleteMultipartUpload | non-existing | | | existing | does not apply | ALLOW | - | CompleteMultipartUpload | non-existing | | | non-existing | | | - | CopyObject | existing | applies | ALLOW | existing | applies | ALLOW | - | CopyObject | existing | applies | ALLOW | existing | applies | DENY | - | CopyObject | existing | applies | ALLOW | existing | applies | ALLOW+DENY | - | CopyObject | existing | applies | ALLOW | existing | does not apply | ALLOW | - | CopyObject | existing | applies | ALLOW | non-existing | | | - | CopyObject | existing | applies | DENY | existing | applies | ALLOW | - | CopyObject | existing | applies | DENY | existing | applies | DENY | - | CopyObject | existing | applies | DENY | existing | applies | ALLOW+DENY | - | CopyObject | existing | applies | DENY | existing | does not apply | ALLOW | - | CopyObject | existing | applies | DENY | non-existing | | | - | CopyObject | existing | does not apply | ALLOW | existing | applies | ALLOW | - | CopyObject | existing | does not apply | ALLOW | existing | applies | DENY | - | CopyObject | existing | does not apply | ALLOW | existing | applies | ALLOW+DENY | - | CopyObject | existing | does not apply | ALLOW | existing | does not apply | ALLOW | - | CopyObject | existing | does not apply | ALLOW | non-existing | | | - | CopyObject | non-existing | | | existing | applies | ALLOW | - | CopyObject | non-existing | | | existing | applies | DENY | - | CopyObject | non-existing | | | existing | applies | ALLOW+DENY | - | CopyObject | non-existing | | | existing | does not apply | ALLOW | - | CopyObject | non-existing | | | non-existing | | | - | CreateMultipartUpload | existing | applies | ALLOW | existing | applies | ALLOW | - | CreateMultipartUpload | existing | applies | ALLOW | existing | applies | DENY | - | CreateMultipartUpload | existing | applies | ALLOW | existing | applies | ALLOW+DENY | - | CreateMultipartUpload | existing | applies | ALLOW | existing | does not apply | ALLOW | - | CreateMultipartUpload | existing | applies | ALLOW | non-existing | | | - | CreateMultipartUpload | existing | applies | DENY | existing | applies | ALLOW | - | CreateMultipartUpload | existing | applies | DENY | existing | applies | DENY | - | CreateMultipartUpload | existing | applies | DENY | existing | applies | ALLOW+DENY | - | CreateMultipartUpload | existing | applies | DENY | existing | does not apply | ALLOW | - | CreateMultipartUpload | existing | applies | DENY | non-existing | | | - | CreateMultipartUpload | existing | does not apply | ALLOW | existing | applies | ALLOW | - | CreateMultipartUpload | existing | does not apply | ALLOW | existing | applies | DENY | - | CreateMultipartUpload | existing | does not apply | ALLOW | existing | applies | ALLOW+DENY | - | CreateMultipartUpload | existing | does not apply | ALLOW | existing | does not apply | ALLOW | - | CreateMultipartUpload | existing | does not apply | ALLOW | non-existing | | | - | CreateMultipartUpload | non-existing | | | existing | applies | ALLOW | - | CreateMultipartUpload | non-existing | | | existing | applies | DENY | - | CreateMultipartUpload | non-existing | | | existing | applies | ALLOW+DENY | - | CreateMultipartUpload | non-existing | | | existing | does not apply | ALLOW | - | CreateMultipartUpload | non-existing | | | non-existing | | | - | DeleteBucket | existing | applies | ALLOW | existing | applies | ALLOW | - | DeleteBucket | existing | applies | ALLOW | existing | applies | DENY | - | DeleteBucket | existing | applies | ALLOW | existing | applies | ALLOW+DENY | - | DeleteBucket | existing | applies | ALLOW | existing | does not apply | ALLOW | - | DeleteBucket | existing | applies | ALLOW | non-existing | | | - | DeleteBucket | existing | applies | DENY | existing | applies | ALLOW | - | DeleteBucket | existing | applies | DENY | existing | applies | DENY | - | DeleteBucket | existing | applies | DENY | existing | applies | ALLOW+DENY | - | DeleteBucket | existing | applies | DENY | existing | does not apply | ALLOW | - | DeleteBucket | existing | applies | DENY | non-existing | | | - | DeleteBucket | existing | does not apply | ALLOW | existing | applies | ALLOW | - | DeleteBucket | existing | does not apply | ALLOW | existing | applies | DENY | - | DeleteBucket | existing | does not apply | ALLOW | existing | applies | ALLOW+DENY | - | DeleteBucket | existing | does not apply | ALLOW | existing | does not apply | ALLOW | - | DeleteBucket | existing | does not apply | ALLOW | non-existing | | | - | DeleteBucket | non-existing | | | existing | applies | ALLOW | - | DeleteBucket | non-existing | | | existing | applies | DENY | - | DeleteBucket | non-existing | | | existing | applies | ALLOW+DENY | - | DeleteBucket | non-existing | | | existing | does not apply | ALLOW | - | DeleteBucket | non-existing | | | non-existing | | | - | DeleteBucketCors | existing | applies | ALLOW | existing | applies | ALLOW | - | DeleteBucketCors | existing | applies | ALLOW | existing | applies | DENY | - | DeleteBucketCors | existing | applies | ALLOW | existing | applies | ALLOW+DENY | - | DeleteBucketCors | existing | applies | ALLOW | existing | does not apply | ALLOW | - | DeleteBucketCors | existing | applies | ALLOW | non-existing | | | - | DeleteBucketCors | existing | applies | DENY | existing | applies | ALLOW | - | DeleteBucketCors | existing | applies | DENY | existing | applies | DENY | - | DeleteBucketCors | existing | applies | DENY | existing | applies | ALLOW+DENY | - | DeleteBucketCors | existing | applies | DENY | existing | does not apply | ALLOW | - | DeleteBucketCors | existing | applies | DENY | non-existing | | | - | DeleteBucketCors | existing | does not apply | ALLOW | existing | applies | ALLOW | - | DeleteBucketCors | existing | does not apply | ALLOW | existing | applies | DENY | - | DeleteBucketCors | existing | does not apply | ALLOW | existing | applies | ALLOW+DENY | - | DeleteBucketCors | existing | does not apply | ALLOW | existing | does not apply | ALLOW | - | DeleteBucketCors | existing | does not apply | ALLOW | non-existing | | | - | DeleteBucketCors | non-existing | | | existing | applies | ALLOW | - | DeleteBucketCors | non-existing | | | existing | applies | DENY | - | DeleteBucketCors | non-existing | | | existing | applies | ALLOW+DENY | - | DeleteBucketCors | non-existing | | | existing | does not apply | ALLOW | - | DeleteBucketCors | non-existing | | | non-existing | | | - | DeleteBucketEncryption | existing | applies | ALLOW | existing | applies | ALLOW | - | DeleteBucketEncryption | existing | applies | ALLOW | existing | applies | DENY | - | DeleteBucketEncryption | existing | applies | ALLOW | existing | applies | ALLOW+DENY | - | DeleteBucketEncryption | existing | applies | ALLOW | existing | does not apply | ALLOW | - | DeleteBucketEncryption | existing | applies | ALLOW | non-existing | | | - | DeleteBucketEncryption | existing | applies | DENY | existing | applies | ALLOW | - | DeleteBucketEncryption | existing | applies | DENY | existing | applies | DENY | - | DeleteBucketEncryption | existing | applies | DENY | existing | applies | ALLOW+DENY | - | DeleteBucketEncryption | existing | applies | DENY | existing | does not apply | ALLOW | - | DeleteBucketEncryption | existing | applies | DENY | non-existing | | | - | DeleteBucketEncryption | existing | does not apply | ALLOW | existing | applies | ALLOW | - | DeleteBucketEncryption | existing | does not apply | ALLOW | existing | applies | DENY | - | DeleteBucketEncryption | existing | does not apply | ALLOW | existing | applies | ALLOW+DENY | - | DeleteBucketEncryption | existing | does not apply | ALLOW | existing | does not apply | ALLOW | - | DeleteBucketEncryption | existing | does not apply | ALLOW | non-existing | | | - | DeleteBucketEncryption | non-existing | | | existing | applies | ALLOW | - | DeleteBucketEncryption | non-existing | | | existing | applies | DENY | - | DeleteBucketEncryption | non-existing | | | existing | applies | ALLOW+DENY | - | DeleteBucketEncryption | non-existing | | | existing | does not apply | ALLOW | - | DeleteBucketEncryption | non-existing | | | non-existing | | | - | DeleteBucketLifecycle | existing | applies | ALLOW | existing | applies | ALLOW | - | DeleteBucketLifecycle | existing | applies | ALLOW | existing | applies | DENY | - | DeleteBucketLifecycle | existing | applies | ALLOW | existing | applies | ALLOW+DENY | - | DeleteBucketLifecycle | existing | applies | ALLOW | existing | does not apply | ALLOW | - | DeleteBucketLifecycle | existing | applies | ALLOW | non-existing | | | - | DeleteBucketLifecycle | existing | applies | DENY | existing | applies | ALLOW | - | DeleteBucketLifecycle | existing | applies | DENY | existing | applies | DENY | - | DeleteBucketLifecycle | existing | applies | DENY | existing | applies | ALLOW+DENY | - | DeleteBucketLifecycle | existing | applies | DENY | existing | does not apply | ALLOW | - | DeleteBucketLifecycle | existing | applies | DENY | non-existing | | | - | DeleteBucketLifecycle | existing | does not apply | ALLOW | existing | applies | ALLOW | - | DeleteBucketLifecycle | existing | does not apply | ALLOW | existing | applies | DENY | - | DeleteBucketLifecycle | existing | does not apply | ALLOW | existing | applies | ALLOW+DENY | - | DeleteBucketLifecycle | existing | does not apply | ALLOW | existing | does not apply | ALLOW | - | DeleteBucketLifecycle | existing | does not apply | ALLOW | non-existing | | | - | DeleteBucketLifecycle | non-existing | | | existing | applies | ALLOW | - | DeleteBucketLifecycle | non-existing | | | existing | applies | DENY | - | DeleteBucketLifecycle | non-existing | | | existing | applies | ALLOW+DENY | - | DeleteBucketLifecycle | non-existing | | | existing | does not apply | ALLOW | - | DeleteBucketLifecycle | non-existing | | | non-existing | | | - | DeleteBucketPolicy | existing | applies | ALLOW | existing | applies | ALLOW | - | DeleteBucketPolicy | existing | applies | ALLOW | existing | applies | DENY | - | DeleteBucketPolicy | existing | applies | ALLOW | existing | applies | ALLOW+DENY | - | DeleteBucketPolicy | existing | applies | ALLOW | existing | does not apply | ALLOW | - | DeleteBucketPolicy | existing | applies | ALLOW | non-existing | | | - | DeleteBucketPolicy | existing | applies | DENY | existing | applies | ALLOW | - | DeleteBucketPolicy | existing | applies | DENY | existing | applies | DENY | - | DeleteBucketPolicy | existing | applies | DENY | existing | applies | ALLOW+DENY | - | DeleteBucketPolicy | existing | applies | DENY | existing | does not apply | ALLOW | - | DeleteBucketPolicy | existing | applies | DENY | non-existing | | | - | DeleteBucketPolicy | existing | does not apply | ALLOW | existing | applies | ALLOW | - | DeleteBucketPolicy | existing | does not apply | ALLOW | existing | applies | DENY | - | DeleteBucketPolicy | existing | does not apply | ALLOW | existing | applies | ALLOW+DENY | - | DeleteBucketPolicy | existing | does not apply | ALLOW | existing | does not apply | ALLOW | - | DeleteBucketPolicy | existing | does not apply | ALLOW | non-existing | | | - | DeleteBucketPolicy | non-existing | | | existing | applies | ALLOW | - | DeleteBucketPolicy | non-existing | | | existing | applies | DENY | - | DeleteBucketPolicy | non-existing | | | existing | applies | ALLOW+DENY | - | DeleteBucketPolicy | non-existing | | | existing | does not apply | ALLOW | - | DeleteBucketPolicy | non-existing | | | non-existing | | | - | DeleteBucketReplication | existing | applies | ALLOW | existing | applies | ALLOW | - | DeleteBucketReplication | existing | applies | ALLOW | existing | applies | DENY | - | DeleteBucketReplication | existing | applies | ALLOW | existing | applies | ALLOW+DENY | - | DeleteBucketReplication | existing | applies | ALLOW | existing | does not apply | ALLOW | - | DeleteBucketReplication | existing | applies | ALLOW | non-existing | | | - | DeleteBucketReplication | existing | applies | DENY | existing | applies | ALLOW | - | DeleteBucketReplication | existing | applies | DENY | existing | applies | DENY | - | DeleteBucketReplication | existing | applies | DENY | existing | applies | ALLOW+DENY | - | DeleteBucketReplication | existing | applies | DENY | existing | does not apply | ALLOW | - | DeleteBucketReplication | existing | applies | DENY | non-existing | | | - | DeleteBucketReplication | existing | does not apply | ALLOW | existing | applies | ALLOW | - | DeleteBucketReplication | existing | does not apply | ALLOW | existing | applies | DENY | - | DeleteBucketReplication | existing | does not apply | ALLOW | existing | applies | ALLOW+DENY | - | DeleteBucketReplication | existing | does not apply | ALLOW | existing | does not apply | ALLOW | - | DeleteBucketReplication | existing | does not apply | ALLOW | non-existing | | | - | DeleteBucketReplication | non-existing | | | existing | applies | ALLOW | - | DeleteBucketReplication | non-existing | | | existing | applies | DENY | - | DeleteBucketReplication | non-existing | | | existing | applies | ALLOW+DENY | - | DeleteBucketReplication | non-existing | | | existing | does not apply | ALLOW | - | DeleteBucketReplication | non-existing | | | non-existing | | | - | DeleteBucketWebsite | existing | applies | ALLOW | existing | applies | ALLOW | - | DeleteBucketWebsite | existing | applies | ALLOW | existing | applies | DENY | - | DeleteBucketWebsite | existing | applies | ALLOW | existing | applies | ALLOW+DENY | - | DeleteBucketWebsite | existing | applies | ALLOW | existing | does not apply | ALLOW | - | DeleteBucketWebsite | existing | applies | ALLOW | non-existing | | | - | DeleteBucketWebsite | existing | applies | DENY | existing | applies | ALLOW | - | DeleteBucketWebsite | existing | applies | DENY | existing | applies | DENY | - | DeleteBucketWebsite | existing | applies | DENY | existing | applies | ALLOW+DENY | - | DeleteBucketWebsite | existing | applies | DENY | existing | does not apply | ALLOW | - | DeleteBucketWebsite | existing | applies | DENY | non-existing | | | - | DeleteBucketWebsite | existing | does not apply | ALLOW | existing | applies | ALLOW | - | DeleteBucketWebsite | existing | does not apply | ALLOW | existing | applies | DENY | - | DeleteBucketWebsite | existing | does not apply | ALLOW | existing | applies | ALLOW+DENY | - | DeleteBucketWebsite | existing | does not apply | ALLOW | existing | does not apply | ALLOW | - | DeleteBucketWebsite | existing | does not apply | ALLOW | non-existing | | | - | DeleteBucketWebsite | non-existing | | | existing | applies | ALLOW | - | DeleteBucketWebsite | non-existing | | | existing | applies | DENY | - | DeleteBucketWebsite | non-existing | | | existing | applies | ALLOW+DENY | - | DeleteBucketWebsite | non-existing | | | existing | does not apply | ALLOW | - | DeleteBucketWebsite | non-existing | | | non-existing | | | - | DeleteObject | existing | applies | ALLOW | existing | applies | ALLOW | - | DeleteObject | existing | applies | ALLOW | existing | applies | DENY | - | DeleteObject | existing | applies | ALLOW | existing | applies | ALLOW+DENY | - | DeleteObject | existing | applies | ALLOW | existing | does not apply | ALLOW | - | DeleteObject | existing | applies | ALLOW | non-existing | | | - | DeleteObject | existing | applies | DENY | existing | applies | ALLOW | - | DeleteObject | existing | applies | DENY | existing | applies | DENY | - | DeleteObject | existing | applies | DENY | existing | applies | ALLOW+DENY | - | DeleteObject | existing | applies | DENY | existing | does not apply | ALLOW | - | DeleteObject | existing | applies | DENY | non-existing | | | - | DeleteObject | existing | does not apply | ALLOW | existing | applies | ALLOW | - | DeleteObject | existing | does not apply | ALLOW | existing | applies | DENY | - | DeleteObject | existing | does not apply | ALLOW | existing | applies | ALLOW+DENY | - | DeleteObject | existing | does not apply | ALLOW | existing | does not apply | ALLOW | - | DeleteObject | existing | does not apply | ALLOW | non-existing | | | - | DeleteObject | non-existing | | | existing | applies | ALLOW | - | DeleteObject | non-existing | | | existing | applies | DENY | - | DeleteObject | non-existing | | | existing | applies | ALLOW+DENY | - | DeleteObject | non-existing | | | existing | does not apply | ALLOW | - | DeleteObject | non-existing | | | non-existing | | | - | DeleteBucketTagging | existing | applies | ALLOW | existing | applies | ALLOW | - | DeleteBucketTagging | existing | applies | ALLOW | existing | applies | DENY | - | DeleteBucketTagging | existing | applies | ALLOW | existing | applies | ALLOW+DENY | - | DeleteBucketTagging | existing | applies | ALLOW | existing | does not apply | ALLOW | - | DeleteBucketTagging | existing | applies | ALLOW | non-existing | | | - | DeleteBucketTagging | existing | applies | DENY | existing | applies | ALLOW | - | DeleteBucketTagging | existing | applies | DENY | existing | applies | DENY | - | DeleteBucketTagging | existing | applies | DENY | existing | applies | ALLOW+DENY | - | DeleteBucketTagging | existing | applies | DENY | existing | does not apply | ALLOW | - | DeleteBucketTagging | existing | applies | DENY | non-existing | | | - | DeleteBucketTagging | existing | does not apply | ALLOW | existing | applies | ALLOW | - | DeleteBucketTagging | existing | does not apply | ALLOW | existing | applies | DENY | - | DeleteBucketTagging | existing | does not apply | ALLOW | existing | applies | ALLOW+DENY | - | DeleteBucketTagging | existing | does not apply | ALLOW | existing | does not apply | ALLOW | - | DeleteBucketTagging | existing | does not apply | ALLOW | non-existing | | | - | DeleteBucketTagging | non-existing | | | existing | applies | ALLOW | - | DeleteBucketTagging | non-existing | | | existing | applies | DENY | - | DeleteBucketTagging | non-existing | | | existing | applies | ALLOW+DENY | - | DeleteBucketTagging | non-existing | | | existing | does not apply | ALLOW | - | DeleteBucketTagging | non-existing | | | non-existing | | | - | DeleteObjectTagging | existing | applies | ALLOW | existing | applies | ALLOW | - | DeleteObjectTagging | existing | applies | ALLOW | existing | applies | DENY | - | DeleteObjectTagging | existing | applies | ALLOW | existing | applies | ALLOW+DENY | - | DeleteObjectTagging | existing | applies | ALLOW | existing | does not apply | ALLOW | - | DeleteObjectTagging | existing | applies | ALLOW | non-existing | | | - | DeleteObjectTagging | existing | applies | DENY | existing | applies | ALLOW | - | DeleteObjectTagging | existing | applies | DENY | existing | applies | DENY | - | DeleteObjectTagging | existing | applies | DENY | existing | applies | ALLOW+DENY | - | DeleteObjectTagging | existing | applies | DENY | existing | does not apply | ALLOW | - | DeleteObjectTagging | existing | applies | DENY | non-existing | | | - | DeleteObjectTagging | existing | does not apply | ALLOW | existing | applies | ALLOW | - | DeleteObjectTagging | existing | does not apply | ALLOW | existing | applies | DENY | - | DeleteObjectTagging | existing | does not apply | ALLOW | existing | applies | ALLOW+DENY | - | DeleteObjectTagging | existing | does not apply | ALLOW | existing | does not apply | ALLOW | - | DeleteObjectTagging | existing | does not apply | ALLOW | non-existing | | | - | DeleteObjectTagging | non-existing | | | existing | applies | ALLOW | - | DeleteObjectTagging | non-existing | | | existing | applies | DENY | - | DeleteObjectTagging | non-existing | | | existing | applies | ALLOW+DENY | - | DeleteObjectTagging | non-existing | | | existing | does not apply | ALLOW | - | DeleteObjectTagging | non-existing | | | non-existing | | | - | DeleteObjects | existing | applies | ALLOW | existing | applies | ALLOW | - | DeleteObjects | existing | applies | ALLOW | existing | applies | DENY | - | DeleteObjects | existing | applies | ALLOW | existing | applies | ALLOW+DENY | - | DeleteObjects | existing | applies | ALLOW | existing | does not apply | ALLOW | - | DeleteObjects | existing | applies | ALLOW | non-existing | | | - | DeleteObjects | existing | applies | DENY | existing | applies | ALLOW | - | DeleteObjects | existing | applies | DENY | existing | applies | DENY | - | DeleteObjects | existing | applies | DENY | existing | applies | ALLOW+DENY | - | DeleteObjects | existing | applies | DENY | existing | does not apply | ALLOW | - | DeleteObjects | existing | applies | DENY | non-existing | | | - | DeleteObjects | existing | does not apply | ALLOW | existing | applies | ALLOW | - | DeleteObjects | existing | does not apply | ALLOW | existing | applies | DENY | - | DeleteObjects | existing | does not apply | ALLOW | existing | applies | ALLOW+DENY | - | DeleteObjects | existing | does not apply | ALLOW | existing | does not apply | ALLOW | - | DeleteObjects | existing | does not apply | ALLOW | non-existing | | | - | DeleteObjects | non-existing | | | existing | applies | ALLOW | - | DeleteObjects | non-existing | | | existing | applies | DENY | - | DeleteObjects | non-existing | | | existing | applies | ALLOW+DENY | - | DeleteObjects | non-existing | | | existing | does not apply | ALLOW | - | DeleteObjects | non-existing | | | non-existing | | | - | GetBucketAcl | existing | applies | ALLOW | existing | applies | ALLOW | - | GetBucketAcl | existing | applies | ALLOW | existing | applies | DENY | - | GetBucketAcl | existing | applies | ALLOW | existing | applies | ALLOW+DENY | - | GetBucketAcl | existing | applies | ALLOW | existing | does not apply | ALLOW | - | GetBucketAcl | existing | applies | ALLOW | non-existing | | | - | GetBucketAcl | existing | applies | DENY | existing | applies | ALLOW | - | GetBucketAcl | existing | applies | DENY | existing | applies | DENY | - | GetBucketAcl | existing | applies | DENY | existing | applies | ALLOW+DENY | - | GetBucketAcl | existing | applies | DENY | existing | does not apply | ALLOW | - | GetBucketAcl | existing | applies | DENY | non-existing | | | - | GetBucketAcl | existing | does not apply | ALLOW | existing | applies | ALLOW | - | GetBucketAcl | existing | does not apply | ALLOW | existing | applies | DENY | - | GetBucketAcl | existing | does not apply | ALLOW | existing | applies | ALLOW+DENY | - | GetBucketAcl | existing | does not apply | ALLOW | existing | does not apply | ALLOW | - | GetBucketAcl | existing | does not apply | ALLOW | non-existing | | | - | GetBucketAcl | non-existing | | | existing | applies | ALLOW | - | GetBucketAcl | non-existing | | | existing | applies | DENY | - | GetBucketAcl | non-existing | | | existing | applies | ALLOW+DENY | - | GetBucketAcl | non-existing | | | existing | does not apply | ALLOW | - | GetBucketAcl | non-existing | | | non-existing | | | - | GetBucketCors | existing | applies | ALLOW | existing | applies | ALLOW | - | GetBucketCors | existing | applies | ALLOW | existing | applies | DENY | - | GetBucketCors | existing | applies | ALLOW | existing | applies | ALLOW+DENY | - | GetBucketCors | existing | applies | ALLOW | existing | does not apply | ALLOW | - | GetBucketCors | existing | applies | ALLOW | non-existing | | | - | GetBucketCors | existing | applies | DENY | existing | applies | ALLOW | - | GetBucketCors | existing | applies | DENY | existing | applies | DENY | - | GetBucketCors | existing | applies | DENY | existing | applies | ALLOW+DENY | - | GetBucketCors | existing | applies | DENY | existing | does not apply | ALLOW | - | GetBucketCors | existing | applies | DENY | non-existing | | | - | GetBucketCors | existing | does not apply | ALLOW | existing | applies | ALLOW | - | GetBucketCors | existing | does not apply | ALLOW | existing | applies | DENY | - | GetBucketCors | existing | does not apply | ALLOW | existing | applies | ALLOW+DENY | - | GetBucketCors | existing | does not apply | ALLOW | existing | does not apply | ALLOW | - | GetBucketCors | existing | does not apply | ALLOW | non-existing | | | - | GetBucketCors | non-existing | | | existing | applies | ALLOW | - | GetBucketCors | non-existing | | | existing | applies | DENY | - | GetBucketCors | non-existing | | | existing | applies | ALLOW+DENY | - | GetBucketCors | non-existing | | | existing | does not apply | ALLOW | - | GetBucketCors | non-existing | | | non-existing | | | - | GetBucketEncryption | existing | applies | ALLOW | existing | applies | ALLOW | - | GetBucketEncryption | existing | applies | ALLOW | existing | applies | DENY | - | GetBucketEncryption | existing | applies | ALLOW | existing | applies | ALLOW+DENY | - | GetBucketEncryption | existing | applies | ALLOW | existing | does not apply | ALLOW | - | GetBucketEncryption | existing | applies | ALLOW | non-existing | | | - | GetBucketEncryption | existing | applies | DENY | existing | applies | ALLOW | - | GetBucketEncryption | existing | applies | DENY | existing | applies | DENY | - | GetBucketEncryption | existing | applies | DENY | existing | applies | ALLOW+DENY | - | GetBucketEncryption | existing | applies | DENY | existing | does not apply | ALLOW | - | GetBucketEncryption | existing | applies | DENY | non-existing | | | - | GetBucketEncryption | existing | does not apply | ALLOW | existing | applies | ALLOW | - | GetBucketEncryption | existing | does not apply | ALLOW | existing | applies | DENY | - | GetBucketEncryption | existing | does not apply | ALLOW | existing | applies | ALLOW+DENY | - | GetBucketEncryption | existing | does not apply | ALLOW | existing | does not apply | ALLOW | - | GetBucketEncryption | existing | does not apply | ALLOW | non-existing | | | - | GetBucketEncryption | non-existing | | | existing | applies | ALLOW | - | GetBucketEncryption | non-existing | | | existing | applies | DENY | - | GetBucketEncryption | non-existing | | | existing | applies | ALLOW+DENY | - | GetBucketEncryption | non-existing | | | existing | does not apply | ALLOW | - | GetBucketEncryption | non-existing | | | non-existing | | | - | GetBucketLifecycleConfiguration | existing | applies | ALLOW | existing | applies | ALLOW | - | GetBucketLifecycleConfiguration | existing | applies | ALLOW | existing | applies | DENY | - | GetBucketLifecycleConfiguration | existing | applies | ALLOW | existing | applies | ALLOW+DENY | - | GetBucketLifecycleConfiguration | existing | applies | ALLOW | existing | does not apply | ALLOW | - | GetBucketLifecycleConfiguration | existing | applies | ALLOW | non-existing | | | - | GetBucketLifecycleConfiguration | existing | applies | DENY | existing | applies | ALLOW | - | GetBucketLifecycleConfiguration | existing | applies | DENY | existing | applies | DENY | - | GetBucketLifecycleConfiguration | existing | applies | DENY | existing | applies | ALLOW+DENY | - | GetBucketLifecycleConfiguration | existing | applies | DENY | existing | does not apply | ALLOW | - | GetBucketLifecycleConfiguration | existing | applies | DENY | non-existing | | | - | GetBucketLifecycleConfiguration | existing | does not apply | ALLOW | existing | applies | ALLOW | - | GetBucketLifecycleConfiguration | existing | does not apply | ALLOW | existing | applies | DENY | - | GetBucketLifecycleConfiguration | existing | does not apply | ALLOW | existing | applies | ALLOW+DENY | - | GetBucketLifecycleConfiguration | existing | does not apply | ALLOW | existing | does not apply | ALLOW | - | GetBucketLifecycleConfiguration | existing | does not apply | ALLOW | non-existing | | | - | GetBucketLifecycleConfiguration | non-existing | | | existing | applies | ALLOW | - | GetBucketLifecycleConfiguration | non-existing | | | existing | applies | DENY | - | GetBucketLifecycleConfiguration | non-existing | | | existing | applies | ALLOW+DENY | - | GetBucketLifecycleConfiguration | non-existing | | | existing | does not apply | ALLOW | - | GetBucketLifecycleConfiguration | non-existing | | | non-existing | | | - | GetBucketNotificationConfiguration | existing | applies | ALLOW | existing | applies | ALLOW | - | GetBucketNotificationConfiguration | existing | applies | ALLOW | existing | applies | DENY | - | GetBucketNotificationConfiguration | existing | applies | ALLOW | existing | applies | ALLOW+DENY | - | GetBucketNotificationConfiguration | existing | applies | ALLOW | existing | does not apply | ALLOW | - | GetBucketNotificationConfiguration | existing | applies | ALLOW | non-existing | | | - | GetBucketNotificationConfiguration | existing | applies | DENY | existing | applies | ALLOW | - | GetBucketNotificationConfiguration | existing | applies | DENY | existing | applies | DENY | - | GetBucketNotificationConfiguration | existing | applies | DENY | existing | applies | ALLOW+DENY | - | GetBucketNotificationConfiguration | existing | applies | DENY | existing | does not apply | ALLOW | - | GetBucketNotificationConfiguration | existing | applies | DENY | non-existing | | | - | GetBucketNotificationConfiguration | existing | does not apply | ALLOW | existing | applies | ALLOW | - | GetBucketNotificationConfiguration | existing | does not apply | ALLOW | existing | applies | DENY | - | GetBucketNotificationConfiguration | existing | does not apply | ALLOW | existing | applies | ALLOW+DENY | - | GetBucketNotificationConfiguration | existing | does not apply | ALLOW | existing | does not apply | ALLOW | - | GetBucketNotificationConfiguration | existing | does not apply | ALLOW | non-existing | | | - | GetBucketNotificationConfiguration | non-existing | | | existing | applies | ALLOW | - | GetBucketNotificationConfiguration | non-existing | | | existing | applies | DENY | - | GetBucketNotificationConfiguration | non-existing | | | existing | applies | ALLOW+DENY | - | GetBucketNotificationConfiguration | non-existing | | | existing | does not apply | ALLOW | - | GetBucketNotificationConfiguration | non-existing | | | non-existing | | | - | GetBucketPolicy | existing | applies | ALLOW | existing | applies | ALLOW | - | GetBucketPolicy | existing | applies | ALLOW | existing | applies | DENY | - | GetBucketPolicy | existing | applies | ALLOW | existing | applies | ALLOW+DENY | - | GetBucketPolicy | existing | applies | ALLOW | existing | does not apply | ALLOW | - | GetBucketPolicy | existing | applies | ALLOW | non-existing | | | - | GetBucketPolicy | existing | applies | DENY | existing | applies | ALLOW | - | GetBucketPolicy | existing | applies | DENY | existing | applies | DENY | - | GetBucketPolicy | existing | applies | DENY | existing | applies | ALLOW+DENY | - | GetBucketPolicy | existing | applies | DENY | existing | does not apply | ALLOW | - | GetBucketPolicy | existing | applies | DENY | non-existing | | | - | GetBucketPolicy | existing | does not apply | ALLOW | existing | applies | ALLOW | - | GetBucketPolicy | existing | does not apply | ALLOW | existing | applies | DENY | - | GetBucketPolicy | existing | does not apply | ALLOW | existing | applies | ALLOW+DENY | - | GetBucketPolicy | existing | does not apply | ALLOW | existing | does not apply | ALLOW | - | GetBucketPolicy | existing | does not apply | ALLOW | non-existing | | | - | GetBucketPolicy | non-existing | | | existing | applies | ALLOW | - | GetBucketPolicy | non-existing | | | existing | applies | DENY | - | GetBucketPolicy | non-existing | | | existing | applies | ALLOW+DENY | - | GetBucketPolicy | non-existing | | | existing | does not apply | ALLOW | - | GetBucketPolicy | non-existing | | | non-existing | | | - | GetBucketReplication | existing | applies | ALLOW | existing | applies | ALLOW | - | GetBucketReplication | existing | applies | ALLOW | existing | applies | DENY | - | GetBucketReplication | existing | applies | ALLOW | existing | applies | ALLOW+DENY | - | GetBucketReplication | existing | applies | ALLOW | existing | does not apply | ALLOW | - | GetBucketReplication | existing | applies | ALLOW | non-existing | | | - | GetBucketReplication | existing | applies | DENY | existing | applies | ALLOW | - | GetBucketReplication | existing | applies | DENY | existing | applies | DENY | - | GetBucketReplication | existing | applies | DENY | existing | applies | ALLOW+DENY | - | GetBucketReplication | existing | applies | DENY | existing | does not apply | ALLOW | - | GetBucketReplication | existing | applies | DENY | non-existing | | | - | GetBucketReplication | existing | does not apply | ALLOW | existing | applies | ALLOW | - | GetBucketReplication | existing | does not apply | ALLOW | existing | applies | DENY | - | GetBucketReplication | existing | does not apply | ALLOW | existing | applies | ALLOW+DENY | - | GetBucketReplication | existing | does not apply | ALLOW | existing | does not apply | ALLOW | - | GetBucketReplication | existing | does not apply | ALLOW | non-existing | | | - | GetBucketReplication | non-existing | | | existing | applies | ALLOW | - | GetBucketReplication | non-existing | | | existing | applies | DENY | - | GetBucketReplication | non-existing | | | existing | applies | ALLOW+DENY | - | GetBucketReplication | non-existing | | | existing | does not apply | ALLOW | - | GetBucketReplication | non-existing | | | non-existing | | | - | GetBucketVersioning | existing | applies | ALLOW | existing | applies | ALLOW | - | GetBucketVersioning | existing | applies | ALLOW | existing | applies | DENY | - | GetBucketVersioning | existing | applies | ALLOW | existing | applies | ALLOW+DENY | - | GetBucketVersioning | existing | applies | ALLOW | existing | does not apply | ALLOW | - | GetBucketVersioning | existing | applies | ALLOW | non-existing | | | - | GetBucketVersioning | existing | applies | DENY | existing | applies | ALLOW | - | GetBucketVersioning | existing | applies | DENY | existing | applies | DENY | - | GetBucketVersioning | existing | applies | DENY | existing | applies | ALLOW+DENY | - | GetBucketVersioning | existing | applies | DENY | existing | does not apply | ALLOW | - | GetBucketVersioning | existing | applies | DENY | non-existing | | | - | GetBucketVersioning | existing | does not apply | ALLOW | existing | applies | ALLOW | - | GetBucketVersioning | existing | does not apply | ALLOW | existing | applies | DENY | - | GetBucketVersioning | existing | does not apply | ALLOW | existing | applies | ALLOW+DENY | - | GetBucketVersioning | existing | does not apply | ALLOW | existing | does not apply | ALLOW | - | GetBucketVersioning | existing | does not apply | ALLOW | non-existing | | | - | GetBucketVersioning | non-existing | | | existing | applies | ALLOW | - | GetBucketVersioning | non-existing | | | existing | applies | DENY | - | GetBucketVersioning | non-existing | | | existing | applies | ALLOW+DENY | - | GetBucketVersioning | non-existing | | | existing | does not apply | ALLOW | - | GetBucketVersioning | non-existing | | | non-existing | | | - | GetObject | existing | applies | ALLOW | existing | applies | ALLOW | - | GetObject | existing | applies | ALLOW | existing | applies | DENY | - | GetObject | existing | applies | ALLOW | existing | applies | ALLOW+DENY | - | GetObject | existing | applies | ALLOW | existing | does not apply | ALLOW | - | GetObject | existing | applies | ALLOW | non-existing | | | - | GetObject | existing | applies | DENY | existing | applies | ALLOW | - | GetObject | existing | applies | DENY | existing | applies | DENY | - | GetObject | existing | applies | DENY | existing | applies | ALLOW+DENY | - | GetObject | existing | applies | DENY | existing | does not apply | ALLOW | - | GetObject | existing | applies | DENY | non-existing | | | - | GetObject | existing | does not apply | ALLOW | existing | applies | ALLOW | - | GetObject | existing | does not apply | ALLOW | existing | applies | DENY | - | GetObject | existing | does not apply | ALLOW | existing | applies | ALLOW+DENY | - | GetObject | existing | does not apply | ALLOW | existing | does not apply | ALLOW | - | GetObject | existing | does not apply | ALLOW | non-existing | | | - | GetObject | non-existing | | | existing | applies | ALLOW | - | GetObject | non-existing | | | existing | applies | DENY | - | GetObject | non-existing | | | existing | applies | ALLOW+DENY | - | GetObject | non-existing | | | existing | does not apply | ALLOW | - | GetObject | non-existing | | | non-existing | | | - | GetObjectAcl | existing | applies | ALLOW | existing | applies | ALLOW | - | GetObjectAcl | existing | applies | ALLOW | existing | applies | DENY | - | GetObjectAcl | existing | applies | ALLOW | existing | applies | ALLOW+DENY | - | GetObjectAcl | existing | applies | ALLOW | existing | does not apply | ALLOW | - | GetObjectAcl | existing | applies | ALLOW | non-existing | | | - | GetObjectAcl | existing | applies | DENY | existing | applies | ALLOW | - | GetObjectAcl | existing | applies | DENY | existing | applies | DENY | - | GetObjectAcl | existing | applies | DENY | existing | applies | ALLOW+DENY | - | GetObjectAcl | existing | applies | DENY | existing | does not apply | ALLOW | - | GetObjectAcl | existing | applies | DENY | non-existing | | | - | GetObjectAcl | existing | does not apply | ALLOW | existing | applies | ALLOW | - | GetObjectAcl | existing | does not apply | ALLOW | existing | applies | DENY | - | GetObjectAcl | existing | does not apply | ALLOW | existing | applies | ALLOW+DENY | - | GetObjectAcl | existing | does not apply | ALLOW | existing | does not apply | ALLOW | - | GetObjectAcl | existing | does not apply | ALLOW | non-existing | | | - | GetObjectAcl | non-existing | | | existing | applies | ALLOW | - | GetObjectAcl | non-existing | | | existing | applies | DENY | - | GetObjectAcl | non-existing | | | existing | applies | ALLOW+DENY | - | GetObjectAcl | non-existing | | | existing | does not apply | ALLOW | - | GetObjectAcl | non-existing | | | non-existing | | | - | GetObjectLegalHold | existing | applies | ALLOW | existing | applies | ALLOW | - | GetObjectLegalHold | existing | applies | ALLOW | existing | applies | DENY | - | GetObjectLegalHold | existing | applies | ALLOW | existing | applies | ALLOW+DENY | - | GetObjectLegalHold | existing | applies | ALLOW | existing | does not apply | ALLOW | - | GetObjectLegalHold | existing | applies | ALLOW | non-existing | | | - | GetObjectLegalHold | existing | applies | DENY | existing | applies | ALLOW | - | GetObjectLegalHold | existing | applies | DENY | existing | applies | DENY | - | GetObjectLegalHold | existing | applies | DENY | existing | applies | ALLOW+DENY | - | GetObjectLegalHold | existing | applies | DENY | existing | does not apply | ALLOW | - | GetObjectLegalHold | existing | applies | DENY | non-existing | | | - | GetObjectLegalHold | existing | does not apply | ALLOW | existing | applies | ALLOW | - | GetObjectLegalHold | existing | does not apply | ALLOW | existing | applies | DENY | - | GetObjectLegalHold | existing | does not apply | ALLOW | existing | applies | ALLOW+DENY | - | GetObjectLegalHold | existing | does not apply | ALLOW | existing | does not apply | ALLOW | - | GetObjectLegalHold | existing | does not apply | ALLOW | non-existing | | | - | GetObjectLegalHold | non-existing | | | existing | applies | ALLOW | - | GetObjectLegalHold | non-existing | | | existing | applies | DENY | - | GetObjectLegalHold | non-existing | | | existing | applies | ALLOW+DENY | - | GetObjectLegalHold | non-existing | | | existing | does not apply | ALLOW | - | GetObjectLegalHold | non-existing | | | non-existing | | | - | GetObjectLockConfiguration | existing | applies | ALLOW | existing | applies | ALLOW | - | GetObjectLockConfiguration | existing | applies | ALLOW | existing | applies | DENY | - | GetObjectLockConfiguration | existing | applies | ALLOW | existing | applies | ALLOW+DENY | - | GetObjectLockConfiguration | existing | applies | ALLOW | existing | does not apply | ALLOW | - | GetObjectLockConfiguration | existing | applies | ALLOW | non-existing | | | - | GetObjectLockConfiguration | existing | applies | DENY | existing | applies | ALLOW | - | GetObjectLockConfiguration | existing | applies | DENY | existing | applies | DENY | - | GetObjectLockConfiguration | existing | applies | DENY | existing | applies | ALLOW+DENY | - | GetObjectLockConfiguration | existing | applies | DENY | existing | does not apply | ALLOW | - | GetObjectLockConfiguration | existing | applies | DENY | non-existing | | | - | GetObjectLockConfiguration | existing | does not apply | ALLOW | existing | applies | ALLOW | - | GetObjectLockConfiguration | existing | does not apply | ALLOW | existing | applies | DENY | - | GetObjectLockConfiguration | existing | does not apply | ALLOW | existing | applies | ALLOW+DENY | - | GetObjectLockConfiguration | existing | does not apply | ALLOW | existing | does not apply | ALLOW | - | GetObjectLockConfiguration | existing | does not apply | ALLOW | non-existing | | | - | GetObjectLockConfiguration | non-existing | | | existing | applies | ALLOW | - | GetObjectLockConfiguration | non-existing | | | existing | applies | DENY | - | GetObjectLockConfiguration | non-existing | | | existing | applies | ALLOW+DENY | - | GetObjectLockConfiguration | non-existing | | | existing | does not apply | ALLOW | - | GetObjectLockConfiguration | non-existing | | | non-existing | | | - | GetObjectRetention | existing | applies | ALLOW | existing | applies | ALLOW | - | GetObjectRetention | existing | applies | ALLOW | existing | applies | DENY | - | GetObjectRetention | existing | applies | ALLOW | existing | applies | ALLOW+DENY | - | GetObjectRetention | existing | applies | ALLOW | existing | does not apply | ALLOW | - | GetObjectRetention | existing | applies | ALLOW | non-existing | | | - | GetObjectRetention | existing | applies | DENY | existing | applies | ALLOW | - | GetObjectRetention | existing | applies | DENY | existing | applies | DENY | - | GetObjectRetention | existing | applies | DENY | existing | applies | ALLOW+DENY | - | GetObjectRetention | existing | applies | DENY | existing | does not apply | ALLOW | - | GetObjectRetention | existing | applies | DENY | non-existing | | | - | GetObjectRetention | existing | does not apply | ALLOW | existing | applies | ALLOW | - | GetObjectRetention | existing | does not apply | ALLOW | existing | applies | DENY | - | GetObjectRetention | existing | does not apply | ALLOW | existing | applies | ALLOW+DENY | - | GetObjectRetention | existing | does not apply | ALLOW | existing | does not apply | ALLOW | - | GetObjectRetention | existing | does not apply | ALLOW | non-existing | | | - | GetObjectRetention | non-existing | | | existing | applies | ALLOW | - | GetObjectRetention | non-existing | | | existing | applies | DENY | - | GetObjectRetention | non-existing | | | existing | applies | ALLOW+DENY | - | GetObjectRetention | non-existing | | | existing | does not apply | ALLOW | - | GetObjectRetention | non-existing | | | non-existing | | | - | GetBucketTagging | existing | applies | ALLOW | existing | applies | ALLOW | - | GetBucketTagging | existing | applies | ALLOW | existing | applies | DENY | - | GetBucketTagging | existing | applies | ALLOW | existing | applies | ALLOW+DENY | - | GetBucketTagging | existing | applies | ALLOW | existing | does not apply | ALLOW | - | GetBucketTagging | existing | applies | ALLOW | non-existing | | | - | GetBucketTagging | existing | applies | DENY | existing | applies | ALLOW | - | GetBucketTagging | existing | applies | DENY | existing | applies | DENY | - | GetBucketTagging | existing | applies | DENY | existing | applies | ALLOW+DENY | - | GetBucketTagging | existing | applies | DENY | existing | does not apply | ALLOW | - | GetBucketTagging | existing | applies | DENY | non-existing | | | - | GetBucketTagging | existing | does not apply | ALLOW | existing | applies | ALLOW | - | GetBucketTagging | existing | does not apply | ALLOW | existing | applies | DENY | - | GetBucketTagging | existing | does not apply | ALLOW | existing | applies | ALLOW+DENY | - | GetBucketTagging | existing | does not apply | ALLOW | existing | does not apply | ALLOW | - | GetBucketTagging | existing | does not apply | ALLOW | non-existing | | | - | GetBucketTagging | non-existing | | | existing | applies | ALLOW | - | GetBucketTagging | non-existing | | | existing | applies | DENY | - | GetBucketTagging | non-existing | | | existing | applies | ALLOW+DENY | - | GetBucketTagging | non-existing | | | existing | does not apply | ALLOW | - | GetBucketTagging | non-existing | | | non-existing | | | - | GetObjectTagging | existing | applies | ALLOW | existing | applies | ALLOW | - | GetObjectTagging | existing | applies | ALLOW | existing | applies | DENY | - | GetObjectTagging | existing | applies | ALLOW | existing | applies | ALLOW+DENY | - | GetObjectTagging | existing | applies | ALLOW | existing | does not apply | ALLOW | - | GetObjectTagging | existing | applies | ALLOW | non-existing | | | - | GetObjectTagging | existing | applies | DENY | existing | applies | ALLOW | - | GetObjectTagging | existing | applies | DENY | existing | applies | DENY | - | GetObjectTagging | existing | applies | DENY | existing | applies | ALLOW+DENY | - | GetObjectTagging | existing | applies | DENY | existing | does not apply | ALLOW | - | GetObjectTagging | existing | applies | DENY | non-existing | | | - | GetObjectTagging | existing | does not apply | ALLOW | existing | applies | ALLOW | - | GetObjectTagging | existing | does not apply | ALLOW | existing | applies | DENY | - | GetObjectTagging | existing | does not apply | ALLOW | existing | applies | ALLOW+DENY | - | GetObjectTagging | existing | does not apply | ALLOW | existing | does not apply | ALLOW | - | GetObjectTagging | existing | does not apply | ALLOW | non-existing | | | - | GetObjectTagging | non-existing | | | existing | applies | ALLOW | - | GetObjectTagging | non-existing | | | existing | applies | DENY | - | GetObjectTagging | non-existing | | | existing | applies | ALLOW+DENY | - | GetObjectTagging | non-existing | | | existing | does not apply | ALLOW | - | GetObjectTagging | non-existing | | | non-existing | | | - | HeadBucket | existing | applies | ALLOW | existing | applies | ALLOW | - | HeadBucket | existing | applies | ALLOW | existing | applies | DENY | - | HeadBucket | existing | applies | ALLOW | existing | applies | ALLOW+DENY | - | HeadBucket | existing | applies | ALLOW | existing | does not apply | ALLOW | - | HeadBucket | existing | applies | ALLOW | non-existing | | | - | HeadBucket | existing | applies | DENY | existing | applies | ALLOW | - | HeadBucket | existing | applies | DENY | existing | applies | DENY | - | HeadBucket | existing | applies | DENY | existing | applies | ALLOW+DENY | - | HeadBucket | existing | applies | DENY | existing | does not apply | ALLOW | - | HeadBucket | existing | applies | DENY | non-existing | | | - | HeadBucket | existing | does not apply | ALLOW | existing | applies | ALLOW | - | HeadBucket | existing | does not apply | ALLOW | existing | applies | DENY | - | HeadBucket | existing | does not apply | ALLOW | existing | applies | ALLOW+DENY | - | HeadBucket | existing | does not apply | ALLOW | existing | does not apply | ALLOW | - | HeadBucket | existing | does not apply | ALLOW | non-existing | | | - | HeadBucket | non-existing | | | existing | applies | ALLOW | - | HeadBucket | non-existing | | | existing | applies | DENY | - | HeadBucket | non-existing | | | existing | applies | ALLOW+DENY | - | HeadBucket | non-existing | | | existing | does not apply | ALLOW | - | HeadBucket | non-existing | | | non-existing | | | - | HeadObject | existing | applies | ALLOW | existing | applies | ALLOW | - | HeadObject | existing | applies | ALLOW | existing | applies | DENY | - | HeadObject | existing | applies | ALLOW | existing | applies | ALLOW+DENY | - | HeadObject | existing | applies | ALLOW | existing | does not apply | ALLOW | - | HeadObject | existing | applies | ALLOW | non-existing | | | - | HeadObject | existing | applies | DENY | existing | applies | ALLOW | - | HeadObject | existing | applies | DENY | existing | applies | DENY | - | HeadObject | existing | applies | DENY | existing | applies | ALLOW+DENY | - | HeadObject | existing | applies | DENY | existing | does not apply | ALLOW | - | HeadObject | existing | applies | DENY | non-existing | | | - | HeadObject | existing | does not apply | ALLOW | existing | applies | ALLOW | - | HeadObject | existing | does not apply | ALLOW | existing | applies | DENY | - | HeadObject | existing | does not apply | ALLOW | existing | applies | ALLOW+DENY | - | HeadObject | existing | does not apply | ALLOW | existing | does not apply | ALLOW | - | HeadObject | existing | does not apply | ALLOW | non-existing | | | - | HeadObject | non-existing | | | existing | applies | ALLOW | - | HeadObject | non-existing | | | existing | applies | DENY | - | HeadObject | non-existing | | | existing | applies | ALLOW+DENY | - | HeadObject | non-existing | | | existing | does not apply | ALLOW | - | HeadObject | non-existing | | | non-existing | | | - | ListMultipartUploads | existing | applies | ALLOW | existing | applies | ALLOW | - | ListMultipartUploads | existing | applies | ALLOW | existing | applies | DENY | - | ListMultipartUploads | existing | applies | ALLOW | existing | applies | ALLOW+DENY | - | ListMultipartUploads | existing | applies | ALLOW | existing | does not apply | ALLOW | - | ListMultipartUploads | existing | applies | ALLOW | non-existing | | | - | ListMultipartUploads | existing | applies | DENY | existing | applies | ALLOW | - | ListMultipartUploads | existing | applies | DENY | existing | applies | DENY | - | ListMultipartUploads | existing | applies | DENY | existing | applies | ALLOW+DENY | - | ListMultipartUploads | existing | applies | DENY | existing | does not apply | ALLOW | - | ListMultipartUploads | existing | applies | DENY | non-existing | | | - | ListMultipartUploads | existing | does not apply | ALLOW | existing | applies | ALLOW | - | ListMultipartUploads | existing | does not apply | ALLOW | existing | applies | DENY | - | ListMultipartUploads | existing | does not apply | ALLOW | existing | applies | ALLOW+DENY | - | ListMultipartUploads | existing | does not apply | ALLOW | existing | does not apply | ALLOW | - | ListMultipartUploads | existing | does not apply | ALLOW | non-existing | | | - | ListMultipartUploads | non-existing | | | existing | applies | ALLOW | - | ListMultipartUploads | non-existing | | | existing | applies | DENY | - | ListMultipartUploads | non-existing | | | existing | applies | ALLOW+DENY | - | ListMultipartUploads | non-existing | | | existing | does not apply | ALLOW | - | ListMultipartUploads | non-existing | | | non-existing | | | - | ListObjectVersions | existing | applies | ALLOW | existing | applies | ALLOW | - | ListObjectVersions | existing | applies | ALLOW | existing | applies | DENY | - | ListObjectVersions | existing | applies | ALLOW | existing | applies | ALLOW+DENY | - | ListObjectVersions | existing | applies | ALLOW | existing | does not apply | ALLOW | - | ListObjectVersions | existing | applies | ALLOW | non-existing | | | - | ListObjectVersions | existing | applies | DENY | existing | applies | ALLOW | - | ListObjectVersions | existing | applies | DENY | existing | applies | DENY | - | ListObjectVersions | existing | applies | DENY | existing | applies | ALLOW+DENY | - | ListObjectVersions | existing | applies | DENY | existing | does not apply | ALLOW | - | ListObjectVersions | existing | applies | DENY | non-existing | | | - | ListObjectVersions | existing | does not apply | ALLOW | existing | applies | ALLOW | - | ListObjectVersions | existing | does not apply | ALLOW | existing | applies | DENY | - | ListObjectVersions | existing | does not apply | ALLOW | existing | applies | ALLOW+DENY | - | ListObjectVersions | existing | does not apply | ALLOW | existing | does not apply | ALLOW | - | ListObjectVersions | existing | does not apply | ALLOW | non-existing | | | - | ListObjectVersions | non-existing | | | existing | applies | ALLOW | - | ListObjectVersions | non-existing | | | existing | applies | DENY | - | ListObjectVersions | non-existing | | | existing | applies | ALLOW+DENY | - | ListObjectVersions | non-existing | | | existing | does not apply | ALLOW | - | ListObjectVersions | non-existing | | | non-existing | | | - | ListObjects | existing | applies | ALLOW | existing | applies | ALLOW | - | ListObjects | existing | applies | ALLOW | existing | applies | DENY | - | ListObjects | existing | applies | ALLOW | existing | applies | ALLOW+DENY | - | ListObjects | existing | applies | ALLOW | existing | does not apply | ALLOW | - | ListObjects | existing | applies | ALLOW | non-existing | | | - | ListObjects | existing | applies | DENY | existing | applies | ALLOW | - | ListObjects | existing | applies | DENY | existing | applies | DENY | - | ListObjects | existing | applies | DENY | existing | applies | ALLOW+DENY | - | ListObjects | existing | applies | DENY | existing | does not apply | ALLOW | - | ListObjects | existing | applies | DENY | non-existing | | | - | ListObjects | existing | does not apply | ALLOW | existing | applies | ALLOW | - | ListObjects | existing | does not apply | ALLOW | existing | applies | DENY | - | ListObjects | existing | does not apply | ALLOW | existing | applies | ALLOW+DENY | - | ListObjects | existing | does not apply | ALLOW | existing | does not apply | ALLOW | - | ListObjects | existing | does not apply | ALLOW | non-existing | | | - | ListObjects | non-existing | | | existing | applies | ALLOW | - | ListObjects | non-existing | | | existing | applies | DENY | - | ListObjects | non-existing | | | existing | applies | ALLOW+DENY | - | ListObjects | non-existing | | | existing | does not apply | ALLOW | - | ListObjects | non-existing | | | non-existing | | | - | ListObjectsV2 | existing | applies | ALLOW | existing | applies | ALLOW | - | ListObjectsV2 | existing | applies | ALLOW | existing | applies | DENY | - | ListObjectsV2 | existing | applies | ALLOW | existing | applies | ALLOW+DENY | - | ListObjectsV2 | existing | applies | ALLOW | existing | does not apply | ALLOW | - | ListObjectsV2 | existing | applies | ALLOW | non-existing | | | - | ListObjectsV2 | existing | applies | DENY | existing | applies | ALLOW | - | ListObjectsV2 | existing | applies | DENY | existing | applies | DENY | - | ListObjectsV2 | existing | applies | DENY | existing | applies | ALLOW+DENY | - | ListObjectsV2 | existing | applies | DENY | existing | does not apply | ALLOW | - | ListObjectsV2 | existing | applies | DENY | non-existing | | | - | ListObjectsV2 | existing | does not apply | ALLOW | existing | applies | ALLOW | - | ListObjectsV2 | existing | does not apply | ALLOW | existing | applies | DENY | - | ListObjectsV2 | existing | does not apply | ALLOW | existing | applies | ALLOW+DENY | - | ListObjectsV2 | existing | does not apply | ALLOW | existing | does not apply | ALLOW | - | ListObjectsV2 | existing | does not apply | ALLOW | non-existing | | | - | ListObjectsV2 | non-existing | | | existing | applies | ALLOW | - | ListObjectsV2 | non-existing | | | existing | applies | DENY | - | ListObjectsV2 | non-existing | | | existing | applies | ALLOW+DENY | - | ListObjectsV2 | non-existing | | | existing | does not apply | ALLOW | - | ListObjectsV2 | non-existing | | | non-existing | | | - | PutBucketAcl | existing | applies | ALLOW | existing | applies | ALLOW | - | PutBucketAcl | existing | applies | ALLOW | existing | applies | DENY | - | PutBucketAcl | existing | applies | ALLOW | existing | applies | ALLOW+DENY | - | PutBucketAcl | existing | applies | ALLOW | existing | does not apply | ALLOW | - | PutBucketAcl | existing | applies | ALLOW | non-existing | | | - | PutBucketAcl | existing | applies | DENY | existing | applies | ALLOW | - | PutBucketAcl | existing | applies | DENY | existing | applies | DENY | - | PutBucketAcl | existing | applies | DENY | existing | applies | ALLOW+DENY | - | PutBucketAcl | existing | applies | DENY | existing | does not apply | ALLOW | - | PutBucketAcl | existing | applies | DENY | non-existing | | | - | PutBucketAcl | existing | does not apply | ALLOW | existing | applies | ALLOW | - | PutBucketAcl | existing | does not apply | ALLOW | existing | applies | DENY | - | PutBucketAcl | existing | does not apply | ALLOW | existing | applies | ALLOW+DENY | - | PutBucketAcl | existing | does not apply | ALLOW | existing | does not apply | ALLOW | - | PutBucketAcl | existing | does not apply | ALLOW | non-existing | | | - | PutBucketAcl | non-existing | | | existing | applies | ALLOW | - | PutBucketAcl | non-existing | | | existing | applies | DENY | - | PutBucketAcl | non-existing | | | existing | applies | ALLOW+DENY | - | PutBucketAcl | non-existing | | | existing | does not apply | ALLOW | - | PutBucketAcl | non-existing | | | non-existing | | | - | PutBucketCors | existing | applies | ALLOW | existing | applies | ALLOW | - | PutBucketCors | existing | applies | ALLOW | existing | applies | DENY | - | PutBucketCors | existing | applies | ALLOW | existing | applies | ALLOW+DENY | - | PutBucketCors | existing | applies | ALLOW | existing | does not apply | ALLOW | - | PutBucketCors | existing | applies | ALLOW | non-existing | | | - | PutBucketCors | existing | applies | DENY | existing | applies | ALLOW | - | PutBucketCors | existing | applies | DENY | existing | applies | DENY | - | PutBucketCors | existing | applies | DENY | existing | applies | ALLOW+DENY | - | PutBucketCors | existing | applies | DENY | existing | does not apply | ALLOW | - | PutBucketCors | existing | applies | DENY | non-existing | | | - | PutBucketCors | existing | does not apply | ALLOW | existing | applies | ALLOW | - | PutBucketCors | existing | does not apply | ALLOW | existing | applies | DENY | - | PutBucketCors | existing | does not apply | ALLOW | existing | applies | ALLOW+DENY | - | PutBucketCors | existing | does not apply | ALLOW | existing | does not apply | ALLOW | - | PutBucketCors | existing | does not apply | ALLOW | non-existing | | | - | PutBucketCors | non-existing | | | existing | applies | ALLOW | - | PutBucketCors | non-existing | | | existing | applies | DENY | - | PutBucketCors | non-existing | | | existing | applies | ALLOW+DENY | - | PutBucketCors | non-existing | | | existing | does not apply | ALLOW | - | PutBucketCors | non-existing | | | non-existing | | | - | PutBucketEncryption | existing | applies | ALLOW | existing | applies | ALLOW | - | PutBucketEncryption | existing | applies | ALLOW | existing | applies | DENY | - | PutBucketEncryption | existing | applies | ALLOW | existing | applies | ALLOW+DENY | - | PutBucketEncryption | existing | applies | ALLOW | existing | does not apply | ALLOW | - | PutBucketEncryption | existing | applies | ALLOW | non-existing | | | - | PutBucketEncryption | existing | applies | DENY | existing | applies | ALLOW | - | PutBucketEncryption | existing | applies | DENY | existing | applies | DENY | - | PutBucketEncryption | existing | applies | DENY | existing | applies | ALLOW+DENY | - | PutBucketEncryption | existing | applies | DENY | existing | does not apply | ALLOW | - | PutBucketEncryption | existing | applies | DENY | non-existing | | | - | PutBucketEncryption | existing | does not apply | ALLOW | existing | applies | ALLOW | - | PutBucketEncryption | existing | does not apply | ALLOW | existing | applies | DENY | - | PutBucketEncryption | existing | does not apply | ALLOW | existing | applies | ALLOW+DENY | - | PutBucketEncryption | existing | does not apply | ALLOW | existing | does not apply | ALLOW | - | PutBucketEncryption | existing | does not apply | ALLOW | non-existing | | | - | PutBucketEncryption | non-existing | | | existing | applies | ALLOW | - | PutBucketEncryption | non-existing | | | existing | applies | DENY | - | PutBucketEncryption | non-existing | | | existing | applies | ALLOW+DENY | - | PutBucketEncryption | non-existing | | | existing | does not apply | ALLOW | - | PutBucketEncryption | non-existing | | | non-existing | | | - | PutBucketLifecycleConfiguration | existing | applies | ALLOW | existing | applies | ALLOW | - | PutBucketLifecycleConfiguration | existing | applies | ALLOW | existing | applies | DENY | - | PutBucketLifecycleConfiguration | existing | applies | ALLOW | existing | applies | ALLOW+DENY | - | PutBucketLifecycleConfiguration | existing | applies | ALLOW | existing | does not apply | ALLOW | - | PutBucketLifecycleConfiguration | existing | applies | ALLOW | non-existing | | | - | PutBucketLifecycleConfiguration | existing | applies | DENY | existing | applies | ALLOW | - | PutBucketLifecycleConfiguration | existing | applies | DENY | existing | applies | DENY | - | PutBucketLifecycleConfiguration | existing | applies | DENY | existing | applies | ALLOW+DENY | - | PutBucketLifecycleConfiguration | existing | applies | DENY | existing | does not apply | ALLOW | - | PutBucketLifecycleConfiguration | existing | applies | DENY | non-existing | | | - | PutBucketLifecycleConfiguration | existing | does not apply | ALLOW | existing | applies | ALLOW | - | PutBucketLifecycleConfiguration | existing | does not apply | ALLOW | existing | applies | DENY | - | PutBucketLifecycleConfiguration | existing | does not apply | ALLOW | existing | applies | ALLOW+DENY | - | PutBucketLifecycleConfiguration | existing | does not apply | ALLOW | existing | does not apply | ALLOW | - | PutBucketLifecycleConfiguration | existing | does not apply | ALLOW | non-existing | | | - | PutBucketLifecycleConfiguration | non-existing | | | existing | applies | ALLOW | - | PutBucketLifecycleConfiguration | non-existing | | | existing | applies | DENY | - | PutBucketLifecycleConfiguration | non-existing | | | existing | applies | ALLOW+DENY | - | PutBucketLifecycleConfiguration | non-existing | | | existing | does not apply | ALLOW | - | PutBucketLifecycleConfiguration | non-existing | | | non-existing | | | - | PutBucketNotificationConfiguration | existing | applies | ALLOW | existing | applies | ALLOW | - | PutBucketNotificationConfiguration | existing | applies | ALLOW | existing | applies | DENY | - | PutBucketNotificationConfiguration | existing | applies | ALLOW | existing | applies | ALLOW+DENY | - | PutBucketNotificationConfiguration | existing | applies | ALLOW | existing | does not apply | ALLOW | - | PutBucketNotificationConfiguration | existing | applies | ALLOW | non-existing | | | - | PutBucketNotificationConfiguration | existing | applies | DENY | existing | applies | ALLOW | - | PutBucketNotificationConfiguration | existing | applies | DENY | existing | applies | DENY | - | PutBucketNotificationConfiguration | existing | applies | DENY | existing | applies | ALLOW+DENY | - | PutBucketNotificationConfiguration | existing | applies | DENY | existing | does not apply | ALLOW | - | PutBucketNotificationConfiguration | existing | applies | DENY | non-existing | | | - | PutBucketNotificationConfiguration | existing | does not apply | ALLOW | existing | applies | ALLOW | - | PutBucketNotificationConfiguration | existing | does not apply | ALLOW | existing | applies | DENY | - | PutBucketNotificationConfiguration | existing | does not apply | ALLOW | existing | applies | ALLOW+DENY | - | PutBucketNotificationConfiguration | existing | does not apply | ALLOW | existing | does not apply | ALLOW | - | PutBucketNotificationConfiguration | existing | does not apply | ALLOW | non-existing | | | - | PutBucketNotificationConfiguration | non-existing | | | existing | applies | ALLOW | - | PutBucketNotificationConfiguration | non-existing | | | existing | applies | DENY | - | PutBucketNotificationConfiguration | non-existing | | | existing | applies | ALLOW+DENY | - | PutBucketNotificationConfiguration | non-existing | | | existing | does not apply | ALLOW | - | PutBucketNotificationConfiguration | non-existing | | | non-existing | | | - | PutBucketPolicy | existing | applies | ALLOW | existing | applies | ALLOW | - | PutBucketPolicy | existing | applies | ALLOW | existing | applies | DENY | - | PutBucketPolicy | existing | applies | ALLOW | existing | applies | ALLOW+DENY | - | PutBucketPolicy | existing | applies | ALLOW | existing | does not apply | ALLOW | - | PutBucketPolicy | existing | applies | ALLOW | non-existing | | | - | PutBucketPolicy | existing | applies | DENY | existing | applies | ALLOW | - | PutBucketPolicy | existing | applies | DENY | existing | applies | DENY | - | PutBucketPolicy | existing | applies | DENY | existing | applies | ALLOW+DENY | - | PutBucketPolicy | existing | applies | DENY | existing | does not apply | ALLOW | - | PutBucketPolicy | existing | applies | DENY | non-existing | | | - | PutBucketPolicy | existing | does not apply | ALLOW | existing | applies | ALLOW | - | PutBucketPolicy | existing | does not apply | ALLOW | existing | applies | DENY | - | PutBucketPolicy | existing | does not apply | ALLOW | existing | applies | ALLOW+DENY | - | PutBucketPolicy | existing | does not apply | ALLOW | existing | does not apply | ALLOW | - | PutBucketPolicy | existing | does not apply | ALLOW | non-existing | | | - | PutBucketPolicy | non-existing | | | existing | applies | ALLOW | - | PutBucketPolicy | non-existing | | | existing | applies | DENY | - | PutBucketPolicy | non-existing | | | existing | applies | ALLOW+DENY | - | PutBucketPolicy | non-existing | | | existing | does not apply | ALLOW | - | PutBucketPolicy | non-existing | | | non-existing | | | - | PutBucketReplication | existing | applies | ALLOW | existing | applies | ALLOW | - | PutBucketReplication | existing | applies | ALLOW | existing | applies | DENY | - | PutBucketReplication | existing | applies | ALLOW | existing | applies | ALLOW+DENY | - | PutBucketReplication | existing | applies | ALLOW | existing | does not apply | ALLOW | - | PutBucketReplication | existing | applies | ALLOW | non-existing | | | - | PutBucketReplication | existing | applies | DENY | existing | applies | ALLOW | - | PutBucketReplication | existing | applies | DENY | existing | applies | DENY | - | PutBucketReplication | existing | applies | DENY | existing | applies | ALLOW+DENY | - | PutBucketReplication | existing | applies | DENY | existing | does not apply | ALLOW | - | PutBucketReplication | existing | applies | DENY | non-existing | | | - | PutBucketReplication | existing | does not apply | ALLOW | existing | applies | ALLOW | - | PutBucketReplication | existing | does not apply | ALLOW | existing | applies | DENY | - | PutBucketReplication | existing | does not apply | ALLOW | existing | applies | ALLOW+DENY | - | PutBucketReplication | existing | does not apply | ALLOW | existing | does not apply | ALLOW | - | PutBucketReplication | existing | does not apply | ALLOW | non-existing | | | - | PutBucketReplication | non-existing | | | existing | applies | ALLOW | - | PutBucketReplication | non-existing | | | existing | applies | DENY | - | PutBucketReplication | non-existing | | | existing | applies | ALLOW+DENY | - | PutBucketReplication | non-existing | | | existing | does not apply | ALLOW | - | PutBucketReplication | non-existing | | | non-existing | | | - | PutBucketVersioning | existing | applies | ALLOW | existing | applies | ALLOW | - | PutBucketVersioning | existing | applies | ALLOW | existing | applies | DENY | - | PutBucketVersioning | existing | applies | ALLOW | existing | applies | ALLOW+DENY | - | PutBucketVersioning | existing | applies | ALLOW | existing | does not apply | ALLOW | - | PutBucketVersioning | existing | applies | ALLOW | non-existing | | | - | PutBucketVersioning | existing | applies | DENY | existing | applies | ALLOW | - | PutBucketVersioning | existing | applies | DENY | existing | applies | DENY | - | PutBucketVersioning | existing | applies | DENY | existing | applies | ALLOW+DENY | - | PutBucketVersioning | existing | applies | DENY | existing | does not apply | ALLOW | - | PutBucketVersioning | existing | applies | DENY | non-existing | | | - | PutBucketVersioning | existing | does not apply | ALLOW | existing | applies | ALLOW | - | PutBucketVersioning | existing | does not apply | ALLOW | existing | applies | DENY | - | PutBucketVersioning | existing | does not apply | ALLOW | existing | applies | ALLOW+DENY | - | PutBucketVersioning | existing | does not apply | ALLOW | existing | does not apply | ALLOW | - | PutBucketVersioning | existing | does not apply | ALLOW | non-existing | | | - | PutBucketVersioning | non-existing | | | existing | applies | ALLOW | - | PutBucketVersioning | non-existing | | | existing | applies | DENY | - | PutBucketVersioning | non-existing | | | existing | applies | ALLOW+DENY | - | PutBucketVersioning | non-existing | | | existing | does not apply | ALLOW | - | PutBucketVersioning | non-existing | | | non-existing | | | - | PutObject | existing | applies | ALLOW | existing | applies | ALLOW | - | PutObject | existing | applies | ALLOW | existing | applies | DENY | - | PutObject | existing | applies | ALLOW | existing | applies | ALLOW+DENY | - | PutObject | existing | applies | ALLOW | existing | does not apply | ALLOW | - | PutObject | existing | applies | ALLOW | non-existing | | | - | PutObject | existing | applies | DENY | existing | applies | ALLOW | - | PutObject | existing | applies | DENY | existing | applies | DENY | - | PutObject | existing | applies | DENY | existing | applies | ALLOW+DENY | - | PutObject | existing | applies | DENY | existing | does not apply | ALLOW | - | PutObject | existing | applies | DENY | non-existing | | | - | PutObject | existing | does not apply | ALLOW | existing | applies | ALLOW | - | PutObject | existing | does not apply | ALLOW | existing | applies | DENY | - | PutObject | existing | does not apply | ALLOW | existing | applies | ALLOW+DENY | - | PutObject | existing | does not apply | ALLOW | existing | does not apply | ALLOW | - | PutObject | existing | does not apply | ALLOW | non-existing | | | - | PutObject | non-existing | | | existing | applies | ALLOW | - | PutObject | non-existing | | | existing | applies | DENY | - | PutObject | non-existing | | | existing | applies | ALLOW+DENY | - | PutObject | non-existing | | | existing | does not apply | ALLOW | - | PutObject | non-existing | | | non-existing | | | - | PutObjectAcl | existing | applies | ALLOW | existing | applies | ALLOW | - | PutObjectAcl | existing | applies | ALLOW | existing | applies | DENY | - | PutObjectAcl | existing | applies | ALLOW | existing | applies | ALLOW+DENY | - | PutObjectAcl | existing | applies | ALLOW | existing | does not apply | ALLOW | - | PutObjectAcl | existing | applies | ALLOW | non-existing | | | - | PutObjectAcl | existing | applies | DENY | existing | applies | ALLOW | - | PutObjectAcl | existing | applies | DENY | existing | applies | DENY | - | PutObjectAcl | existing | applies | DENY | existing | applies | ALLOW+DENY | - | PutObjectAcl | existing | applies | DENY | existing | does not apply | ALLOW | - | PutObjectAcl | existing | applies | DENY | non-existing | | | - | PutObjectAcl | existing | does not apply | ALLOW | existing | applies | ALLOW | - | PutObjectAcl | existing | does not apply | ALLOW | existing | applies | DENY | - | PutObjectAcl | existing | does not apply | ALLOW | existing | applies | ALLOW+DENY | - | PutObjectAcl | existing | does not apply | ALLOW | existing | does not apply | ALLOW | - | PutObjectAcl | existing | does not apply | ALLOW | non-existing | | | - | PutObjectAcl | non-existing | | | existing | applies | ALLOW | - | PutObjectAcl | non-existing | | | existing | applies | DENY | - | PutObjectAcl | non-existing | | | existing | applies | ALLOW+DENY | - | PutObjectAcl | non-existing | | | existing | does not apply | ALLOW | - | PutObjectAcl | non-existing | | | non-existing | | | - | PutObjectLegalHold | existing | applies | ALLOW | existing | applies | ALLOW | - | PutObjectLegalHold | existing | applies | ALLOW | existing | applies | DENY | - | PutObjectLegalHold | existing | applies | ALLOW | existing | applies | ALLOW+DENY | - | PutObjectLegalHold | existing | applies | ALLOW | existing | does not apply | ALLOW | - | PutObjectLegalHold | existing | applies | ALLOW | non-existing | | | - | PutObjectLegalHold | existing | applies | DENY | existing | applies | ALLOW | - | PutObjectLegalHold | existing | applies | DENY | existing | applies | DENY | - | PutObjectLegalHold | existing | applies | DENY | existing | applies | ALLOW+DENY | - | PutObjectLegalHold | existing | applies | DENY | existing | does not apply | ALLOW | - | PutObjectLegalHold | existing | applies | DENY | non-existing | | | - | PutObjectLegalHold | existing | does not apply | ALLOW | existing | applies | ALLOW | - | PutObjectLegalHold | existing | does not apply | ALLOW | existing | applies | DENY | - | PutObjectLegalHold | existing | does not apply | ALLOW | existing | applies | ALLOW+DENY | - | PutObjectLegalHold | existing | does not apply | ALLOW | existing | does not apply | ALLOW | - | PutObjectLegalHold | existing | does not apply | ALLOW | non-existing | | | - | PutObjectLegalHold | non-existing | | | existing | applies | ALLOW | - | PutObjectLegalHold | non-existing | | | existing | applies | DENY | - | PutObjectLegalHold | non-existing | | | existing | applies | ALLOW+DENY | - | PutObjectLegalHold | non-existing | | | existing | does not apply | ALLOW | - | PutObjectLegalHold | non-existing | | | non-existing | | | - | PutObjectLockConfiguration | existing | applies | ALLOW | existing | applies | ALLOW | - | PutObjectLockConfiguration | existing | applies | ALLOW | existing | applies | DENY | - | PutObjectLockConfiguration | existing | applies | ALLOW | existing | applies | ALLOW+DENY | - | PutObjectLockConfiguration | existing | applies | ALLOW | existing | does not apply | ALLOW | - | PutObjectLockConfiguration | existing | applies | ALLOW | non-existing | | | - | PutObjectLockConfiguration | existing | applies | DENY | existing | applies | ALLOW | - | PutObjectLockConfiguration | existing | applies | DENY | existing | applies | DENY | - | PutObjectLockConfiguration | existing | applies | DENY | existing | applies | ALLOW+DENY | - | PutObjectLockConfiguration | existing | applies | DENY | existing | does not apply | ALLOW | - | PutObjectLockConfiguration | existing | applies | DENY | non-existing | | | - | PutObjectLockConfiguration | existing | does not apply | ALLOW | existing | applies | ALLOW | - | PutObjectLockConfiguration | existing | does not apply | ALLOW | existing | applies | DENY | - | PutObjectLockConfiguration | existing | does not apply | ALLOW | existing | applies | ALLOW+DENY | - | PutObjectLockConfiguration | existing | does not apply | ALLOW | existing | does not apply | ALLOW | - | PutObjectLockConfiguration | existing | does not apply | ALLOW | non-existing | | | - | PutObjectLockConfiguration | non-existing | | | existing | applies | ALLOW | - | PutObjectLockConfiguration | non-existing | | | existing | applies | DENY | - | PutObjectLockConfiguration | non-existing | | | existing | applies | ALLOW+DENY | - | PutObjectLockConfiguration | non-existing | | | existing | does not apply | ALLOW | - | PutObjectLockConfiguration | non-existing | | | non-existing | | | - | PutObjectRetention | existing | applies | ALLOW | existing | applies | ALLOW | - | PutObjectRetention | existing | applies | ALLOW | existing | applies | DENY | - | PutObjectRetention | existing | applies | ALLOW | existing | applies | ALLOW+DENY | - | PutObjectRetention | existing | applies | ALLOW | existing | does not apply | ALLOW | - | PutObjectRetention | existing | applies | ALLOW | non-existing | | | - | PutObjectRetention | existing | applies | DENY | existing | applies | ALLOW | - | PutObjectRetention | existing | applies | DENY | existing | applies | DENY | - | PutObjectRetention | existing | applies | DENY | existing | applies | ALLOW+DENY | - | PutObjectRetention | existing | applies | DENY | existing | does not apply | ALLOW | - | PutObjectRetention | existing | applies | DENY | non-existing | | | - | PutObjectRetention | existing | does not apply | ALLOW | existing | applies | ALLOW | - | PutObjectRetention | existing | does not apply | ALLOW | existing | applies | DENY | - | PutObjectRetention | existing | does not apply | ALLOW | existing | applies | ALLOW+DENY | - | PutObjectRetention | existing | does not apply | ALLOW | existing | does not apply | ALLOW | - | PutObjectRetention | existing | does not apply | ALLOW | non-existing | | | - | PutObjectRetention | non-existing | | | existing | applies | ALLOW | - | PutObjectRetention | non-existing | | | existing | applies | DENY | - | PutObjectRetention | non-existing | | | existing | applies | ALLOW+DENY | - | PutObjectRetention | non-existing | | | existing | does not apply | ALLOW | - | PutObjectRetention | non-existing | | | non-existing | | | - | PutBucketTagging | existing | applies | ALLOW | existing | applies | ALLOW | - | PutBucketTagging | existing | applies | ALLOW | existing | applies | DENY | - | PutBucketTagging | existing | applies | ALLOW | existing | applies | ALLOW+DENY | - | PutBucketTagging | existing | applies | ALLOW | existing | does not apply | ALLOW | - | PutBucketTagging | existing | applies | ALLOW | non-existing | | | - | PutBucketTagging | existing | applies | DENY | existing | applies | ALLOW | - | PutBucketTagging | existing | applies | DENY | existing | applies | DENY | - | PutBucketTagging | existing | applies | DENY | existing | applies | ALLOW+DENY | - | PutBucketTagging | existing | applies | DENY | existing | does not apply | ALLOW | - | PutBucketTagging | existing | applies | DENY | non-existing | | | - | PutBucketTagging | existing | does not apply | ALLOW | existing | applies | ALLOW | - | PutBucketTagging | existing | does not apply | ALLOW | existing | applies | DENY | - | PutBucketTagging | existing | does not apply | ALLOW | existing | applies | ALLOW+DENY | - | PutBucketTagging | existing | does not apply | ALLOW | existing | does not apply | ALLOW | - | PutBucketTagging | existing | does not apply | ALLOW | non-existing | | | - | PutBucketTagging | non-existing | | | existing | applies | ALLOW | - | PutBucketTagging | non-existing | | | existing | applies | DENY | - | PutBucketTagging | non-existing | | | existing | applies | ALLOW+DENY | - | PutBucketTagging | non-existing | | | existing | does not apply | ALLOW | - | PutBucketTagging | non-existing | | | non-existing | | | - | PutObjectTagging | existing | applies | ALLOW | existing | applies | ALLOW | - | PutObjectTagging | existing | applies | ALLOW | existing | applies | DENY | - | PutObjectTagging | existing | applies | ALLOW | existing | applies | ALLOW+DENY | - | PutObjectTagging | existing | applies | ALLOW | existing | does not apply | ALLOW | - | PutObjectTagging | existing | applies | ALLOW | non-existing | | | - | PutObjectTagging | existing | applies | DENY | existing | applies | ALLOW | - | PutObjectTagging | existing | applies | DENY | existing | applies | DENY | - | PutObjectTagging | existing | applies | DENY | existing | applies | ALLOW+DENY | - | PutObjectTagging | existing | applies | DENY | existing | does not apply | ALLOW | - | PutObjectTagging | existing | applies | DENY | non-existing | | | - | PutObjectTagging | existing | does not apply | ALLOW | existing | applies | ALLOW | - | PutObjectTagging | existing | does not apply | ALLOW | existing | applies | DENY | - | PutObjectTagging | existing | does not apply | ALLOW | existing | applies | ALLOW+DENY | - | PutObjectTagging | existing | does not apply | ALLOW | existing | does not apply | ALLOW | - | PutObjectTagging | existing | does not apply | ALLOW | non-existing | | | - | PutObjectTagging | non-existing | | | existing | applies | ALLOW | - | PutObjectTagging | non-existing | | | existing | applies | DENY | - | PutObjectTagging | non-existing | | | existing | applies | ALLOW+DENY | - | PutObjectTagging | non-existing | | | existing | does not apply | ALLOW | - | PutObjectTagging | non-existing | | | non-existing | | | - | UploadPart | existing | applies | ALLOW | existing | applies | ALLOW | - | UploadPart | existing | applies | ALLOW | existing | applies | DENY | - | UploadPart | existing | applies | ALLOW | existing | applies | ALLOW+DENY | - | UploadPart | existing | applies | ALLOW | existing | does not apply | ALLOW | - | UploadPart | existing | applies | ALLOW | non-existing | | | - | UploadPart | existing | applies | DENY | existing | applies | ALLOW | - | UploadPart | existing | applies | DENY | existing | applies | DENY | - | UploadPart | existing | applies | DENY | existing | applies | ALLOW+DENY | - | UploadPart | existing | applies | DENY | existing | does not apply | ALLOW | - | UploadPart | existing | applies | DENY | non-existing | | | - | UploadPart | existing | does not apply | ALLOW | existing | applies | ALLOW | - | UploadPart | existing | does not apply | ALLOW | existing | applies | DENY | - | UploadPart | existing | does not apply | ALLOW | existing | applies | ALLOW+DENY | - | UploadPart | existing | does not apply | ALLOW | existing | does not apply | ALLOW | - | UploadPart | existing | does not apply | ALLOW | non-existing | | | - | UploadPart | non-existing | | | existing | applies | ALLOW | - | UploadPart | non-existing | | | existing | applies | DENY | - | UploadPart | non-existing | | | existing | applies | ALLOW+DENY | - | UploadPart | non-existing | | | existing | does not apply | ALLOW | - | UploadPart | non-existing | | | non-existing | | | - | UploadPartCopy | existing | applies | ALLOW | existing | applies | ALLOW | - | UploadPartCopy | existing | applies | ALLOW | existing | applies | DENY | - | UploadPartCopy | existing | applies | ALLOW | existing | applies | ALLOW+DENY | - | UploadPartCopy | existing | applies | ALLOW | existing | does not apply | ALLOW | - | UploadPartCopy | existing | applies | ALLOW | non-existing | | | - | UploadPartCopy | existing | applies | DENY | existing | applies | ALLOW | - | UploadPartCopy | existing | applies | DENY | existing | applies | DENY | - | UploadPartCopy | existing | applies | DENY | existing | applies | ALLOW+DENY | - | UploadPartCopy | existing | applies | DENY | existing | does not apply | ALLOW | - | UploadPartCopy | existing | applies | DENY | non-existing | | | - | UploadPartCopy | existing | does not apply | ALLOW | existing | applies | ALLOW | - | UploadPartCopy | existing | does not apply | ALLOW | existing | applies | DENY | - | UploadPartCopy | existing | does not apply | ALLOW | existing | applies | ALLOW+DENY | - | UploadPartCopy | existing | does not apply | ALLOW | existing | does not apply | ALLOW | - | UploadPartCopy | existing | does not apply | ALLOW | non-existing | | | - | UploadPartCopy | non-existing | | | existing | applies | ALLOW | - | UploadPartCopy | non-existing | | | existing | applies | DENY | - | UploadPartCopy | non-existing | | | existing | applies | ALLOW+DENY | - | UploadPartCopy | non-existing | | | existing | does not apply | ALLOW | - | UploadPartCopy | non-existing | | | non-existing | | | - | DeleteObjectVersion | existing | applies | ALLOW | existing | applies | ALLOW | - | DeleteObjectVersion | existing | applies | ALLOW | existing | applies | DENY | - | DeleteObjectVersion | existing | applies | ALLOW | existing | applies | ALLOW+DENY | - | DeleteObjectVersion | existing | applies | ALLOW | existing | does not apply | ALLOW | - | DeleteObjectVersion | existing | applies | ALLOW | non-existing | | | - | DeleteObjectVersion | existing | applies | DENY | existing | applies | ALLOW | - | DeleteObjectVersion | existing | applies | DENY | existing | applies | DENY | - | DeleteObjectVersion | existing | applies | DENY | existing | applies | ALLOW+DENY | - | DeleteObjectVersion | existing | applies | DENY | existing | does not apply | ALLOW | - | DeleteObjectVersion | existing | applies | DENY | non-existing | | | - | DeleteObjectVersion | existing | does not apply | ALLOW | existing | applies | ALLOW | - | DeleteObjectVersion | existing | does not apply | ALLOW | existing | applies | DENY | - | DeleteObjectVersion | existing | does not apply | ALLOW | existing | applies | ALLOW+DENY | - | DeleteObjectVersion | existing | does not apply | ALLOW | existing | does not apply | ALLOW | - | DeleteObjectVersion | existing | does not apply | ALLOW | non-existing | | | - | DeleteObjectVersion | non-existing | | | existing | applies | ALLOW | - | DeleteObjectVersion | non-existing | | | existing | applies | DENY | - | DeleteObjectVersion | non-existing | | | existing | applies | ALLOW+DENY | - | DeleteObjectVersion | non-existing | | | existing | does not apply | ALLOW | - | DeleteObjectVersion | non-existing | | | non-existing | | | - | DeleteObjectVersionTagging | existing | applies | ALLOW | existing | applies | ALLOW | - | DeleteObjectVersionTagging | existing | applies | ALLOW | existing | applies | DENY | - | DeleteObjectVersionTagging | existing | applies | ALLOW | existing | applies | ALLOW+DENY | - | DeleteObjectVersionTagging | existing | applies | ALLOW | existing | does not apply | ALLOW | - | DeleteObjectVersionTagging | existing | applies | ALLOW | non-existing | | | - | DeleteObjectVersionTagging | existing | applies | DENY | existing | applies | ALLOW | - | DeleteObjectVersionTagging | existing | applies | DENY | existing | applies | DENY | - | DeleteObjectVersionTagging | existing | applies | DENY | existing | applies | ALLOW+DENY | - | DeleteObjectVersionTagging | existing | applies | DENY | existing | does not apply | ALLOW | - | DeleteObjectVersionTagging | existing | applies | DENY | non-existing | | | - | DeleteObjectVersionTagging | existing | does not apply | ALLOW | existing | applies | ALLOW | - | DeleteObjectVersionTagging | existing | does not apply | ALLOW | existing | applies | DENY | - | DeleteObjectVersionTagging | existing | does not apply | ALLOW | existing | applies | ALLOW+DENY | - | DeleteObjectVersionTagging | existing | does not apply | ALLOW | existing | does not apply | ALLOW | - | DeleteObjectVersionTagging | existing | does not apply | ALLOW | non-existing | | | - | DeleteObjectVersionTagging | non-existing | | | existing | applies | ALLOW | - | DeleteObjectVersionTagging | non-existing | | | existing | applies | DENY | - | DeleteObjectVersionTagging | non-existing | | | existing | applies | ALLOW+DENY | - | DeleteObjectVersionTagging | non-existing | | | existing | does not apply | ALLOW | - | DeleteObjectVersionTagging | non-existing | | | non-existing | | | - | GetObjectVersion | existing | applies | ALLOW | existing | applies | ALLOW | - | GetObjectVersion | existing | applies | ALLOW | existing | applies | DENY | - | GetObjectVersion | existing | applies | ALLOW | existing | applies | ALLOW+DENY | - | GetObjectVersion | existing | applies | ALLOW | existing | does not apply | ALLOW | - | GetObjectVersion | existing | applies | ALLOW | non-existing | | | - | GetObjectVersion | existing | applies | DENY | existing | applies | ALLOW | - | GetObjectVersion | existing | applies | DENY | existing | applies | DENY | - | GetObjectVersion | existing | applies | DENY | existing | applies | ALLOW+DENY | - | GetObjectVersion | existing | applies | DENY | existing | does not apply | ALLOW | - | GetObjectVersion | existing | applies | DENY | non-existing | | | - | GetObjectVersion | existing | does not apply | ALLOW | existing | applies | ALLOW | - | GetObjectVersion | existing | does not apply | ALLOW | existing | applies | DENY | - | GetObjectVersion | existing | does not apply | ALLOW | existing | applies | ALLOW+DENY | - | GetObjectVersion | existing | does not apply | ALLOW | existing | does not apply | ALLOW | - | GetObjectVersion | existing | does not apply | ALLOW | non-existing | | | - | GetObjectVersion | non-existing | | | existing | applies | ALLOW | - | GetObjectVersion | non-existing | | | existing | applies | DENY | - | GetObjectVersion | non-existing | | | existing | applies | ALLOW+DENY | - | GetObjectVersion | non-existing | | | existing | does not apply | ALLOW | - | GetObjectVersion | non-existing | | | non-existing | | | - | GetObjectVersionAcl | existing | applies | ALLOW | existing | applies | ALLOW | - | GetObjectVersionAcl | existing | applies | ALLOW | existing | applies | DENY | - | GetObjectVersionAcl | existing | applies | ALLOW | existing | applies | ALLOW+DENY | - | GetObjectVersionAcl | existing | applies | ALLOW | existing | does not apply | ALLOW | - | GetObjectVersionAcl | existing | applies | ALLOW | non-existing | | | - | GetObjectVersionAcl | existing | applies | DENY | existing | applies | ALLOW | - | GetObjectVersionAcl | existing | applies | DENY | existing | applies | DENY | - | GetObjectVersionAcl | existing | applies | DENY | existing | applies | ALLOW+DENY | - | GetObjectVersionAcl | existing | applies | DENY | existing | does not apply | ALLOW | - | GetObjectVersionAcl | existing | applies | DENY | non-existing | | | - | GetObjectVersionAcl | existing | does not apply | ALLOW | existing | applies | ALLOW | - | GetObjectVersionAcl | existing | does not apply | ALLOW | existing | applies | DENY | - | GetObjectVersionAcl | existing | does not apply | ALLOW | existing | applies | ALLOW+DENY | - | GetObjectVersionAcl | existing | does not apply | ALLOW | existing | does not apply | ALLOW | - | GetObjectVersionAcl | existing | does not apply | ALLOW | non-existing | | | - | GetObjectVersionAcl | non-existing | | | existing | applies | ALLOW | - | GetObjectVersionAcl | non-existing | | | existing | applies | DENY | - | GetObjectVersionAcl | non-existing | | | existing | applies | ALLOW+DENY | - | GetObjectVersionAcl | non-existing | | | existing | does not apply | ALLOW | - | GetObjectVersionAcl | non-existing | | | non-existing | | | - | GetObjectVersionTagging | existing | applies | ALLOW | existing | applies | ALLOW | - | GetObjectVersionTagging | existing | applies | ALLOW | existing | applies | DENY | - | GetObjectVersionTagging | existing | applies | ALLOW | existing | applies | ALLOW+DENY | - | GetObjectVersionTagging | existing | applies | ALLOW | existing | does not apply | ALLOW | - | GetObjectVersionTagging | existing | applies | ALLOW | non-existing | | | - | GetObjectVersionTagging | existing | applies | DENY | existing | applies | ALLOW | - | GetObjectVersionTagging | existing | applies | DENY | existing | applies | DENY | - | GetObjectVersionTagging | existing | applies | DENY | existing | applies | ALLOW+DENY | - | GetObjectVersionTagging | existing | applies | DENY | existing | does not apply | ALLOW | - | GetObjectVersionTagging | existing | applies | DENY | non-existing | | | - | GetObjectVersionTagging | existing | does not apply | ALLOW | existing | applies | ALLOW | - | GetObjectVersionTagging | existing | does not apply | ALLOW | existing | applies | DENY | - | GetObjectVersionTagging | existing | does not apply | ALLOW | existing | applies | ALLOW+DENY | - | GetObjectVersionTagging | existing | does not apply | ALLOW | existing | does not apply | ALLOW | - | GetObjectVersionTagging | existing | does not apply | ALLOW | non-existing | | | - | GetObjectVersionTagging | non-existing | | | existing | applies | ALLOW | - | GetObjectVersionTagging | non-existing | | | existing | applies | DENY | - | GetObjectVersionTagging | non-existing | | | existing | applies | ALLOW+DENY | - | GetObjectVersionTagging | non-existing | | | existing | does not apply | ALLOW | - | GetObjectVersionTagging | non-existing | | | non-existing | | | - | PutObjectVersionAcl | existing | applies | ALLOW | existing | applies | ALLOW | - | PutObjectVersionAcl | existing | applies | ALLOW | existing | applies | DENY | - | PutObjectVersionAcl | existing | applies | ALLOW | existing | applies | ALLOW+DENY | - | PutObjectVersionAcl | existing | applies | ALLOW | existing | does not apply | ALLOW | - | PutObjectVersionAcl | existing | applies | ALLOW | non-existing | | | - | PutObjectVersionAcl | existing | applies | DENY | existing | applies | ALLOW | - | PutObjectVersionAcl | existing | applies | DENY | existing | applies | DENY | - | PutObjectVersionAcl | existing | applies | DENY | existing | applies | ALLOW+DENY | - | PutObjectVersionAcl | existing | applies | DENY | existing | does not apply | ALLOW | - | PutObjectVersionAcl | existing | applies | DENY | non-existing | | | - | PutObjectVersionAcl | existing | does not apply | ALLOW | existing | applies | ALLOW | - | PutObjectVersionAcl | existing | does not apply | ALLOW | existing | applies | DENY | - | PutObjectVersionAcl | existing | does not apply | ALLOW | existing | applies | ALLOW+DENY | - | PutObjectVersionAcl | existing | does not apply | ALLOW | existing | does not apply | ALLOW | - | PutObjectVersionAcl | existing | does not apply | ALLOW | non-existing | | | - | PutObjectVersionAcl | non-existing | | | existing | applies | ALLOW | - | PutObjectVersionAcl | non-existing | | | existing | applies | DENY | - | PutObjectVersionAcl | non-existing | | | existing | applies | ALLOW+DENY | - | PutObjectVersionAcl | non-existing | | | existing | does not apply | ALLOW | - | PutObjectVersionAcl | non-existing | | | non-existing | | | - | PutObjectVersionTagging | existing | applies | ALLOW | existing | applies | ALLOW | - | PutObjectVersionTagging | existing | applies | ALLOW | existing | applies | DENY | - | PutObjectVersionTagging | existing | applies | ALLOW | existing | applies | ALLOW+DENY | - | PutObjectVersionTagging | existing | applies | ALLOW | existing | does not apply | ALLOW | - | PutObjectVersionTagging | existing | applies | ALLOW | non-existing | | | - | PutObjectVersionTagging | existing | applies | DENY | existing | applies | ALLOW | - | PutObjectVersionTagging | existing | applies | DENY | existing | applies | DENY | - | PutObjectVersionTagging | existing | applies | DENY | existing | applies | ALLOW+DENY | - | PutObjectVersionTagging | existing | applies | DENY | existing | does not apply | ALLOW | - | PutObjectVersionTagging | existing | applies | DENY | non-existing | | | - | PutObjectVersionTagging | existing | does not apply | ALLOW | existing | applies | ALLOW | - | PutObjectVersionTagging | existing | does not apply | ALLOW | existing | applies | DENY | - | PutObjectVersionTagging | existing | does not apply | ALLOW | existing | applies | ALLOW+DENY | - | PutObjectVersionTagging | existing | does not apply | ALLOW | existing | does not apply | ALLOW | - | PutObjectVersionTagging | existing | does not apply | ALLOW | non-existing | | | - | PutObjectVersionTagging | non-existing | | | existing | applies | ALLOW | - | PutObjectVersionTagging | non-existing | | | existing | applies | DENY | - | PutObjectVersionTagging | non-existing | | | existing | applies | ALLOW+DENY | - | PutObjectVersionTagging | non-existing | | | existing | does not apply | ALLOW | - | PutObjectVersionTagging | non-existing | | | non-existing | | | - | PutObjectVersionRetention | existing | applies | ALLOW | existing | applies | ALLOW | - | PutObjectVersionRetention | existing | applies | ALLOW | existing | applies | DENY | - | PutObjectVersionRetention | existing | applies | ALLOW | existing | applies | ALLOW+DENY | - | PutObjectVersionRetention | existing | applies | ALLOW | existing | does not apply | ALLOW | - | PutObjectVersionRetention | existing | applies | ALLOW | non-existing | | | - | PutObjectVersionRetention | existing | applies | DENY | existing | applies | ALLOW | - | PutObjectVersionRetention | existing | applies | DENY | existing | applies | DENY | - | PutObjectVersionRetention | existing | applies | DENY | existing | applies | ALLOW+DENY | - | PutObjectVersionRetention | existing | applies | DENY | existing | does not apply | ALLOW | - | PutObjectVersionRetention | existing | applies | DENY | non-existing | | | - | PutObjectVersionRetention | existing | does not apply | ALLOW | existing | applies | ALLOW | - | PutObjectVersionRetention | existing | does not apply | ALLOW | existing | applies | DENY | - | PutObjectVersionRetention | existing | does not apply | ALLOW | existing | applies | ALLOW+DENY | - | PutObjectVersionRetention | existing | does not apply | ALLOW | existing | does not apply | ALLOW | - | PutObjectVersionRetention | existing | does not apply | ALLOW | non-existing | | | - | PutObjectVersionRetention | non-existing | | | existing | applies | ALLOW | - | PutObjectVersionRetention | non-existing | | | existing | applies | DENY | - | PutObjectVersionRetention | non-existing | | | existing | applies | ALLOW+DENY | - | PutObjectVersionRetention | non-existing | | | existing | does not apply | ALLOW | - | PutObjectVersionRetention | non-existing | | | non-existing | | | - | PutObjectVersionLegalHold | existing | applies | ALLOW | existing | applies | ALLOW | - | PutObjectVersionLegalHold | existing | applies | ALLOW | existing | applies | DENY | - | PutObjectVersionLegalHold | existing | applies | ALLOW | existing | applies | ALLOW+DENY | - | PutObjectVersionLegalHold | existing | applies | ALLOW | existing | does not apply | ALLOW | - | PutObjectVersionLegalHold | existing | applies | ALLOW | non-existing | | | - | PutObjectVersionLegalHold | existing | applies | DENY | existing | applies | ALLOW | - | PutObjectVersionLegalHold | existing | applies | DENY | existing | applies | DENY | - | PutObjectVersionLegalHold | existing | applies | DENY | existing | applies | ALLOW+DENY | - | PutObjectVersionLegalHold | existing | applies | DENY | existing | does not apply | ALLOW | - | PutObjectVersionLegalHold | existing | applies | DENY | non-existing | | | - | PutObjectVersionLegalHold | existing | does not apply | ALLOW | existing | applies | ALLOW | - | PutObjectVersionLegalHold | existing | does not apply | ALLOW | existing | applies | DENY | - | PutObjectVersionLegalHold | existing | does not apply | ALLOW | existing | applies | ALLOW+DENY | - | PutObjectVersionLegalHold | existing | does not apply | ALLOW | existing | does not apply | ALLOW | - | PutObjectVersionLegalHold | existing | does not apply | ALLOW | non-existing | | | - | PutObjectVersionLegalHold | non-existing | | | existing | applies | ALLOW | - | PutObjectVersionLegalHold | non-existing | | | existing | applies | DENY | - | PutObjectVersionLegalHold | non-existing | | | existing | applies | ALLOW+DENY | - | PutObjectVersionLegalHold | non-existing | | | existing | does not apply | ALLOW | - | PutObjectVersionLegalHold | non-existing | | | non-existing | | | - | MetadataSearch | existing | applies | ALLOW | existing | applies | ALLOW | - | MetadataSearch | existing | applies | ALLOW | existing | applies | DENY | - | MetadataSearch | existing | applies | ALLOW | existing | applies | ALLOW+DENY | - | MetadataSearch | existing | applies | ALLOW | existing | does not apply | ALLOW | - | MetadataSearch | existing | applies | ALLOW | non-existing | | | - | MetadataSearch | existing | applies | DENY | existing | applies | ALLOW | - | MetadataSearch | existing | applies | DENY | existing | applies | DENY | - | MetadataSearch | existing | applies | DENY | existing | applies | ALLOW+DENY | - | MetadataSearch | existing | applies | DENY | existing | does not apply | ALLOW | - | MetadataSearch | existing | applies | DENY | non-existing | | | - | MetadataSearch | existing | does not apply | ALLOW | existing | applies | ALLOW | - | MetadataSearch | existing | does not apply | ALLOW | existing | applies | DENY | - | MetadataSearch | existing | does not apply | ALLOW | existing | applies | ALLOW+DENY | - | MetadataSearch | existing | does not apply | ALLOW | existing | does not apply | ALLOW | - | MetadataSearch | existing | does not apply | ALLOW | non-existing | | | - | MetadataSearch | non-existing | | | existing | applies | ALLOW | - | MetadataSearch | non-existing | | | existing | applies | DENY | - | MetadataSearch | non-existing | | | existing | applies | ALLOW+DENY | - | MetadataSearch | non-existing | | | existing | does not apply | ALLOW | - | MetadataSearch | non-existing | | | non-existing | | | diff --git a/tests/ctst/features/resource-policies/IAMUser.feature b/tests/ctst/features/resource-policies/IAMUser.feature deleted file mode 100644 index 50e0a4c08f..0000000000 --- a/tests/ctst/features/resource-policies/IAMUser.feature +++ /dev/null @@ -1,1283 +0,0 @@ -Feature: S3 Bucket Policies Authorization flow for IAM Users - This feature allows you to create and attach bucket policies to S3 buckets. - IAM Users should have the permissions to perform the actions that they are granted in their bucket policies - based on the other permissions they also have. - This test suite is not meant to be human-readable, but brings confidence in our Authz flow for all supported - S3 actions. - - @2.6.0 - @PreMerge - @BucketPolicies - @BP-IAM_USER - Scenario Outline: IAM USER: IAM Policy and S3 Bucket Policy - Given an action "" - And an existing bucket prepared for the action - And a IAM_USER type - And an environment setup for the API - And an "" IAM Policy that "" with "" effect for the current API - And an "" S3 Bucket Policy that "" with "" effect for the current API - When the user tries to perform the current S3 action on the bucket - Then the authorization result is correct - Examples: - | action | bucketPolicyExists | bucketPolicyApplies | bucketPolicyEffect | iamPolicyExists | iamPolicyApplies | iamPolicyEffect | - # Everything below is generated - | AbortMultipartUpload | existing | applies | ALLOW | existing | applies | ALLOW | - | AbortMultipartUpload | existing | applies | ALLOW | existing | applies | DENY | - | AbortMultipartUpload | existing | applies | ALLOW | existing | applies | ALLOW+DENY | - | AbortMultipartUpload | existing | applies | ALLOW | existing | does not apply | ALLOW | - | AbortMultipartUpload | existing | applies | ALLOW | non-existing | | | - | AbortMultipartUpload | existing | applies | DENY | existing | applies | ALLOW | - | AbortMultipartUpload | existing | applies | DENY | existing | applies | DENY | - | AbortMultipartUpload | existing | applies | DENY | existing | applies | ALLOW+DENY | - | AbortMultipartUpload | existing | applies | DENY | existing | does not apply | ALLOW | - | AbortMultipartUpload | existing | applies | DENY | non-existing | | | - | AbortMultipartUpload | existing | does not apply | ALLOW | existing | applies | ALLOW | - | AbortMultipartUpload | existing | does not apply | ALLOW | existing | applies | DENY | - | AbortMultipartUpload | existing | does not apply | ALLOW | existing | applies | ALLOW+DENY | - | AbortMultipartUpload | existing | does not apply | ALLOW | existing | does not apply | ALLOW | - | AbortMultipartUpload | existing | does not apply | ALLOW | non-existing | | | - | AbortMultipartUpload | non-existing | | | existing | applies | ALLOW | - | AbortMultipartUpload | non-existing | | | existing | applies | DENY | - | AbortMultipartUpload | non-existing | | | existing | applies | ALLOW+DENY | - | AbortMultipartUpload | non-existing | | | existing | does not apply | ALLOW | - | AbortMultipartUpload | non-existing | | | non-existing | | | - | CompleteMultipartUpload | existing | applies | ALLOW | existing | applies | ALLOW | - | CompleteMultipartUpload | existing | applies | ALLOW | existing | applies | DENY | - | CompleteMultipartUpload | existing | applies | ALLOW | existing | applies | ALLOW+DENY | - | CompleteMultipartUpload | existing | applies | ALLOW | existing | does not apply | ALLOW | - | CompleteMultipartUpload | existing | applies | ALLOW | non-existing | | | - | CompleteMultipartUpload | existing | applies | DENY | existing | applies | ALLOW | - | CompleteMultipartUpload | existing | applies | DENY | existing | applies | DENY | - | CompleteMultipartUpload | existing | applies | DENY | existing | applies | ALLOW+DENY | - | CompleteMultipartUpload | existing | applies | DENY | existing | does not apply | ALLOW | - | CompleteMultipartUpload | existing | applies | DENY | non-existing | | | - | CompleteMultipartUpload | existing | does not apply | ALLOW | existing | applies | ALLOW | - | CompleteMultipartUpload | existing | does not apply | ALLOW | existing | applies | DENY | - | CompleteMultipartUpload | existing | does not apply | ALLOW | existing | applies | ALLOW+DENY | - | CompleteMultipartUpload | existing | does not apply | ALLOW | existing | does not apply | ALLOW | - | CompleteMultipartUpload | existing | does not apply | ALLOW | non-existing | | | - | CompleteMultipartUpload | non-existing | | | existing | applies | ALLOW | - | CompleteMultipartUpload | non-existing | | | existing | applies | DENY | - | CompleteMultipartUpload | non-existing | | | existing | applies | ALLOW+DENY | - | CompleteMultipartUpload | non-existing | | | existing | does not apply | ALLOW | - | CompleteMultipartUpload | non-existing | | | non-existing | | | - | CopyObject | existing | applies | ALLOW | existing | applies | ALLOW | - | CopyObject | existing | applies | ALLOW | existing | applies | DENY | - | CopyObject | existing | applies | ALLOW | existing | applies | ALLOW+DENY | - | CopyObject | existing | applies | ALLOW | existing | does not apply | ALLOW | - | CopyObject | existing | applies | ALLOW | non-existing | | | - | CopyObject | existing | applies | DENY | existing | applies | ALLOW | - | CopyObject | existing | applies | DENY | existing | applies | DENY | - | CopyObject | existing | applies | DENY | existing | applies | ALLOW+DENY | - | CopyObject | existing | applies | DENY | existing | does not apply | ALLOW | - | CopyObject | existing | applies | DENY | non-existing | | | - | CopyObject | existing | does not apply | ALLOW | existing | applies | ALLOW | - | CopyObject | existing | does not apply | ALLOW | existing | applies | DENY | - | CopyObject | existing | does not apply | ALLOW | existing | applies | ALLOW+DENY | - | CopyObject | existing | does not apply | ALLOW | existing | does not apply | ALLOW | - | CopyObject | existing | does not apply | ALLOW | non-existing | | | - | CopyObject | non-existing | | | existing | applies | ALLOW | - | CopyObject | non-existing | | | existing | applies | DENY | - | CopyObject | non-existing | | | existing | applies | ALLOW+DENY | - | CopyObject | non-existing | | | existing | does not apply | ALLOW | - | CopyObject | non-existing | | | non-existing | | | - | CreateMultipartUpload | existing | applies | ALLOW | existing | applies | ALLOW | - | CreateMultipartUpload | existing | applies | ALLOW | existing | applies | DENY | - | CreateMultipartUpload | existing | applies | ALLOW | existing | applies | ALLOW+DENY | - | CreateMultipartUpload | existing | applies | ALLOW | existing | does not apply | ALLOW | - | CreateMultipartUpload | existing | applies | ALLOW | non-existing | | | - | CreateMultipartUpload | existing | applies | DENY | existing | applies | ALLOW | - | CreateMultipartUpload | existing | applies | DENY | existing | applies | DENY | - | CreateMultipartUpload | existing | applies | DENY | existing | applies | ALLOW+DENY | - | CreateMultipartUpload | existing | applies | DENY | existing | does not apply | ALLOW | - | CreateMultipartUpload | existing | applies | DENY | non-existing | | | - | CreateMultipartUpload | existing | does not apply | ALLOW | existing | applies | ALLOW | - | CreateMultipartUpload | existing | does not apply | ALLOW | existing | applies | DENY | - | CreateMultipartUpload | existing | does not apply | ALLOW | existing | applies | ALLOW+DENY | - | CreateMultipartUpload | existing | does not apply | ALLOW | existing | does not apply | ALLOW | - | CreateMultipartUpload | existing | does not apply | ALLOW | non-existing | | | - | CreateMultipartUpload | non-existing | | | existing | applies | ALLOW | - | CreateMultipartUpload | non-existing | | | existing | applies | DENY | - | CreateMultipartUpload | non-existing | | | existing | applies | ALLOW+DENY | - | CreateMultipartUpload | non-existing | | | existing | does not apply | ALLOW | - | CreateMultipartUpload | non-existing | | | non-existing | | | - | DeleteBucket | existing | applies | ALLOW | existing | applies | ALLOW | - | DeleteBucket | existing | applies | ALLOW | existing | applies | DENY | - | DeleteBucket | existing | applies | ALLOW | existing | applies | ALLOW+DENY | - | DeleteBucket | existing | applies | ALLOW | existing | does not apply | ALLOW | - | DeleteBucket | existing | applies | ALLOW | non-existing | | | - | DeleteBucket | existing | applies | DENY | existing | applies | ALLOW | - | DeleteBucket | existing | applies | DENY | existing | applies | DENY | - | DeleteBucket | existing | applies | DENY | existing | applies | ALLOW+DENY | - | DeleteBucket | existing | applies | DENY | existing | does not apply | ALLOW | - | DeleteBucket | existing | applies | DENY | non-existing | | | - | DeleteBucket | existing | does not apply | ALLOW | existing | applies | ALLOW | - | DeleteBucket | existing | does not apply | ALLOW | existing | applies | DENY | - | DeleteBucket | existing | does not apply | ALLOW | existing | applies | ALLOW+DENY | - | DeleteBucket | existing | does not apply | ALLOW | existing | does not apply | ALLOW | - | DeleteBucket | existing | does not apply | ALLOW | non-existing | | | - | DeleteBucket | non-existing | | | existing | applies | ALLOW | - | DeleteBucket | non-existing | | | existing | applies | DENY | - | DeleteBucket | non-existing | | | existing | applies | ALLOW+DENY | - | DeleteBucket | non-existing | | | existing | does not apply | ALLOW | - | DeleteBucket | non-existing | | | non-existing | | | - | DeleteBucketCors | existing | applies | ALLOW | existing | applies | ALLOW | - | DeleteBucketCors | existing | applies | ALLOW | existing | applies | DENY | - | DeleteBucketCors | existing | applies | ALLOW | existing | applies | ALLOW+DENY | - | DeleteBucketCors | existing | applies | ALLOW | existing | does not apply | ALLOW | - | DeleteBucketCors | existing | applies | ALLOW | non-existing | | | - | DeleteBucketCors | existing | applies | DENY | existing | applies | ALLOW | - | DeleteBucketCors | existing | applies | DENY | existing | applies | DENY | - | DeleteBucketCors | existing | applies | DENY | existing | applies | ALLOW+DENY | - | DeleteBucketCors | existing | applies | DENY | existing | does not apply | ALLOW | - | DeleteBucketCors | existing | applies | DENY | non-existing | | | - | DeleteBucketCors | existing | does not apply | ALLOW | existing | applies | ALLOW | - | DeleteBucketCors | existing | does not apply | ALLOW | existing | applies | DENY | - | DeleteBucketCors | existing | does not apply | ALLOW | existing | applies | ALLOW+DENY | - | DeleteBucketCors | existing | does not apply | ALLOW | existing | does not apply | ALLOW | - | DeleteBucketCors | existing | does not apply | ALLOW | non-existing | | | - | DeleteBucketCors | non-existing | | | existing | applies | ALLOW | - | DeleteBucketCors | non-existing | | | existing | applies | DENY | - | DeleteBucketCors | non-existing | | | existing | applies | ALLOW+DENY | - | DeleteBucketCors | non-existing | | | existing | does not apply | ALLOW | - | DeleteBucketCors | non-existing | | | non-existing | | | - | DeleteBucketEncryption | existing | applies | ALLOW | existing | applies | ALLOW | - | DeleteBucketEncryption | existing | applies | ALLOW | existing | applies | DENY | - | DeleteBucketEncryption | existing | applies | ALLOW | existing | applies | ALLOW+DENY | - | DeleteBucketEncryption | existing | applies | ALLOW | existing | does not apply | ALLOW | - | DeleteBucketEncryption | existing | applies | ALLOW | non-existing | | | - | DeleteBucketEncryption | existing | applies | DENY | existing | applies | ALLOW | - | DeleteBucketEncryption | existing | applies | DENY | existing | applies | DENY | - | DeleteBucketEncryption | existing | applies | DENY | existing | applies | ALLOW+DENY | - | DeleteBucketEncryption | existing | applies | DENY | existing | does not apply | ALLOW | - | DeleteBucketEncryption | existing | applies | DENY | non-existing | | | - | DeleteBucketEncryption | existing | does not apply | ALLOW | existing | applies | ALLOW | - | DeleteBucketEncryption | existing | does not apply | ALLOW | existing | applies | DENY | - | DeleteBucketEncryption | existing | does not apply | ALLOW | existing | applies | ALLOW+DENY | - | DeleteBucketEncryption | existing | does not apply | ALLOW | existing | does not apply | ALLOW | - | DeleteBucketEncryption | existing | does not apply | ALLOW | non-existing | | | - | DeleteBucketEncryption | non-existing | | | existing | applies | ALLOW | - | DeleteBucketEncryption | non-existing | | | existing | applies | DENY | - | DeleteBucketEncryption | non-existing | | | existing | applies | ALLOW+DENY | - | DeleteBucketEncryption | non-existing | | | existing | does not apply | ALLOW | - | DeleteBucketEncryption | non-existing | | | non-existing | | | - | DeleteBucketLifecycle | existing | applies | ALLOW | existing | applies | ALLOW | - | DeleteBucketLifecycle | existing | applies | ALLOW | existing | applies | DENY | - | DeleteBucketLifecycle | existing | applies | ALLOW | existing | applies | ALLOW+DENY | - | DeleteBucketLifecycle | existing | applies | ALLOW | existing | does not apply | ALLOW | - | DeleteBucketLifecycle | existing | applies | ALLOW | non-existing | | | - | DeleteBucketLifecycle | existing | applies | DENY | existing | applies | ALLOW | - | DeleteBucketLifecycle | existing | applies | DENY | existing | applies | DENY | - | DeleteBucketLifecycle | existing | applies | DENY | existing | applies | ALLOW+DENY | - | DeleteBucketLifecycle | existing | applies | DENY | existing | does not apply | ALLOW | - | DeleteBucketLifecycle | existing | applies | DENY | non-existing | | | - | DeleteBucketLifecycle | existing | does not apply | ALLOW | existing | applies | ALLOW | - | DeleteBucketLifecycle | existing | does not apply | ALLOW | existing | applies | DENY | - | DeleteBucketLifecycle | existing | does not apply | ALLOW | existing | applies | ALLOW+DENY | - | DeleteBucketLifecycle | existing | does not apply | ALLOW | existing | does not apply | ALLOW | - | DeleteBucketLifecycle | existing | does not apply | ALLOW | non-existing | | | - | DeleteBucketLifecycle | non-existing | | | existing | applies | ALLOW | - | DeleteBucketLifecycle | non-existing | | | existing | applies | DENY | - | DeleteBucketLifecycle | non-existing | | | existing | applies | ALLOW+DENY | - | DeleteBucketLifecycle | non-existing | | | existing | does not apply | ALLOW | - | DeleteBucketLifecycle | non-existing | | | non-existing | | | - | DeleteBucketPolicy | existing | applies | ALLOW | existing | applies | ALLOW | - | DeleteBucketPolicy | existing | applies | ALLOW | existing | applies | DENY | - | DeleteBucketPolicy | existing | applies | ALLOW | existing | applies | ALLOW+DENY | - | DeleteBucketPolicy | existing | applies | ALLOW | existing | does not apply | ALLOW | - | DeleteBucketPolicy | existing | applies | ALLOW | non-existing | | | - | DeleteBucketPolicy | existing | applies | DENY | existing | applies | ALLOW | - | DeleteBucketPolicy | existing | applies | DENY | existing | applies | DENY | - | DeleteBucketPolicy | existing | applies | DENY | existing | applies | ALLOW+DENY | - | DeleteBucketPolicy | existing | applies | DENY | existing | does not apply | ALLOW | - | DeleteBucketPolicy | existing | applies | DENY | non-existing | | | - | DeleteBucketPolicy | existing | does not apply | ALLOW | existing | applies | ALLOW | - | DeleteBucketPolicy | existing | does not apply | ALLOW | existing | applies | DENY | - | DeleteBucketPolicy | existing | does not apply | ALLOW | existing | applies | ALLOW+DENY | - | DeleteBucketPolicy | existing | does not apply | ALLOW | existing | does not apply | ALLOW | - | DeleteBucketPolicy | existing | does not apply | ALLOW | non-existing | | | - | DeleteBucketPolicy | non-existing | | | existing | applies | ALLOW | - | DeleteBucketPolicy | non-existing | | | existing | applies | DENY | - | DeleteBucketPolicy | non-existing | | | existing | applies | ALLOW+DENY | - | DeleteBucketPolicy | non-existing | | | existing | does not apply | ALLOW | - | DeleteBucketPolicy | non-existing | | | non-existing | | | - | DeleteBucketReplication | existing | applies | ALLOW | existing | applies | ALLOW | - | DeleteBucketReplication | existing | applies | ALLOW | existing | applies | DENY | - | DeleteBucketReplication | existing | applies | ALLOW | existing | applies | ALLOW+DENY | - | DeleteBucketReplication | existing | applies | ALLOW | existing | does not apply | ALLOW | - | DeleteBucketReplication | existing | applies | ALLOW | non-existing | | | - | DeleteBucketReplication | existing | applies | DENY | existing | applies | ALLOW | - | DeleteBucketReplication | existing | applies | DENY | existing | applies | DENY | - | DeleteBucketReplication | existing | applies | DENY | existing | applies | ALLOW+DENY | - | DeleteBucketReplication | existing | applies | DENY | existing | does not apply | ALLOW | - | DeleteBucketReplication | existing | applies | DENY | non-existing | | | - | DeleteBucketReplication | existing | does not apply | ALLOW | existing | applies | ALLOW | - | DeleteBucketReplication | existing | does not apply | ALLOW | existing | applies | DENY | - | DeleteBucketReplication | existing | does not apply | ALLOW | existing | applies | ALLOW+DENY | - | DeleteBucketReplication | existing | does not apply | ALLOW | existing | does not apply | ALLOW | - | DeleteBucketReplication | existing | does not apply | ALLOW | non-existing | | | - | DeleteBucketReplication | non-existing | | | existing | applies | ALLOW | - | DeleteBucketReplication | non-existing | | | existing | applies | DENY | - | DeleteBucketReplication | non-existing | | | existing | applies | ALLOW+DENY | - | DeleteBucketReplication | non-existing | | | existing | does not apply | ALLOW | - | DeleteBucketReplication | non-existing | | | non-existing | | | - | DeleteBucketWebsite | existing | applies | ALLOW | existing | applies | ALLOW | - | DeleteBucketWebsite | existing | applies | ALLOW | existing | applies | DENY | - | DeleteBucketWebsite | existing | applies | ALLOW | existing | applies | ALLOW+DENY | - | DeleteBucketWebsite | existing | applies | ALLOW | existing | does not apply | ALLOW | - | DeleteBucketWebsite | existing | applies | ALLOW | non-existing | | | - | DeleteBucketWebsite | existing | applies | DENY | existing | applies | ALLOW | - | DeleteBucketWebsite | existing | applies | DENY | existing | applies | DENY | - | DeleteBucketWebsite | existing | applies | DENY | existing | applies | ALLOW+DENY | - | DeleteBucketWebsite | existing | applies | DENY | existing | does not apply | ALLOW | - | DeleteBucketWebsite | existing | applies | DENY | non-existing | | | - | DeleteBucketWebsite | existing | does not apply | ALLOW | existing | applies | ALLOW | - | DeleteBucketWebsite | existing | does not apply | ALLOW | existing | applies | DENY | - | DeleteBucketWebsite | existing | does not apply | ALLOW | existing | applies | ALLOW+DENY | - | DeleteBucketWebsite | existing | does not apply | ALLOW | existing | does not apply | ALLOW | - | DeleteBucketWebsite | existing | does not apply | ALLOW | non-existing | | | - | DeleteBucketWebsite | non-existing | | | existing | applies | ALLOW | - | DeleteBucketWebsite | non-existing | | | existing | applies | DENY | - | DeleteBucketWebsite | non-existing | | | existing | applies | ALLOW+DENY | - | DeleteBucketWebsite | non-existing | | | existing | does not apply | ALLOW | - | DeleteBucketWebsite | non-existing | | | non-existing | | | - | DeleteObject | existing | applies | ALLOW | existing | applies | ALLOW | - | DeleteObject | existing | applies | ALLOW | existing | applies | DENY | - | DeleteObject | existing | applies | ALLOW | existing | applies | ALLOW+DENY | - | DeleteObject | existing | applies | ALLOW | existing | does not apply | ALLOW | - | DeleteObject | existing | applies | ALLOW | non-existing | | | - | DeleteObject | existing | applies | DENY | existing | applies | ALLOW | - | DeleteObject | existing | applies | DENY | existing | applies | DENY | - | DeleteObject | existing | applies | DENY | existing | applies | ALLOW+DENY | - | DeleteObject | existing | applies | DENY | existing | does not apply | ALLOW | - | DeleteObject | existing | applies | DENY | non-existing | | | - | DeleteObject | existing | does not apply | ALLOW | existing | applies | ALLOW | - | DeleteObject | existing | does not apply | ALLOW | existing | applies | DENY | - | DeleteObject | existing | does not apply | ALLOW | existing | applies | ALLOW+DENY | - | DeleteObject | existing | does not apply | ALLOW | existing | does not apply | ALLOW | - | DeleteObject | existing | does not apply | ALLOW | non-existing | | | - | DeleteObject | non-existing | | | existing | applies | ALLOW | - | DeleteObject | non-existing | | | existing | applies | DENY | - | DeleteObject | non-existing | | | existing | applies | ALLOW+DENY | - | DeleteObject | non-existing | | | existing | does not apply | ALLOW | - | DeleteObject | non-existing | | | non-existing | | | - | DeleteBucketTagging | existing | applies | ALLOW | existing | applies | ALLOW | - | DeleteBucketTagging | existing | applies | ALLOW | existing | applies | DENY | - | DeleteBucketTagging | existing | applies | ALLOW | existing | applies | ALLOW+DENY | - | DeleteBucketTagging | existing | applies | ALLOW | existing | does not apply | ALLOW | - | DeleteBucketTagging | existing | applies | ALLOW | non-existing | | | - | DeleteBucketTagging | existing | applies | DENY | existing | applies | ALLOW | - | DeleteBucketTagging | existing | applies | DENY | existing | applies | DENY | - | DeleteBucketTagging | existing | applies | DENY | existing | applies | ALLOW+DENY | - | DeleteBucketTagging | existing | applies | DENY | existing | does not apply | ALLOW | - | DeleteBucketTagging | existing | applies | DENY | non-existing | | | - | DeleteBucketTagging | existing | does not apply | ALLOW | existing | applies | ALLOW | - | DeleteBucketTagging | existing | does not apply | ALLOW | existing | applies | DENY | - | DeleteBucketTagging | existing | does not apply | ALLOW | existing | applies | ALLOW+DENY | - | DeleteBucketTagging | existing | does not apply | ALLOW | existing | does not apply | ALLOW | - | DeleteBucketTagging | existing | does not apply | ALLOW | non-existing | | | - | DeleteBucketTagging | non-existing | | | existing | applies | ALLOW | - | DeleteBucketTagging | non-existing | | | existing | applies | DENY | - | DeleteBucketTagging | non-existing | | | existing | applies | ALLOW+DENY | - | DeleteBucketTagging | non-existing | | | existing | does not apply | ALLOW | - | DeleteBucketTagging | non-existing | | | non-existing | | | - | DeleteObjectTagging | existing | applies | ALLOW | existing | applies | ALLOW | - | DeleteObjectTagging | existing | applies | ALLOW | existing | applies | DENY | - | DeleteObjectTagging | existing | applies | ALLOW | existing | applies | ALLOW+DENY | - | DeleteObjectTagging | existing | applies | ALLOW | existing | does not apply | ALLOW | - | DeleteObjectTagging | existing | applies | ALLOW | non-existing | | | - | DeleteObjectTagging | existing | applies | DENY | existing | applies | ALLOW | - | DeleteObjectTagging | existing | applies | DENY | existing | applies | DENY | - | DeleteObjectTagging | existing | applies | DENY | existing | applies | ALLOW+DENY | - | DeleteObjectTagging | existing | applies | DENY | existing | does not apply | ALLOW | - | DeleteObjectTagging | existing | applies | DENY | non-existing | | | - | DeleteObjectTagging | existing | does not apply | ALLOW | existing | applies | ALLOW | - | DeleteObjectTagging | existing | does not apply | ALLOW | existing | applies | DENY | - | DeleteObjectTagging | existing | does not apply | ALLOW | existing | applies | ALLOW+DENY | - | DeleteObjectTagging | existing | does not apply | ALLOW | existing | does not apply | ALLOW | - | DeleteObjectTagging | existing | does not apply | ALLOW | non-existing | | | - | DeleteObjectTagging | non-existing | | | existing | applies | ALLOW | - | DeleteObjectTagging | non-existing | | | existing | applies | DENY | - | DeleteObjectTagging | non-existing | | | existing | applies | ALLOW+DENY | - | DeleteObjectTagging | non-existing | | | existing | does not apply | ALLOW | - | DeleteObjectTagging | non-existing | | | non-existing | | | - | DeleteObjects | existing | applies | ALLOW | existing | applies | ALLOW | - | DeleteObjects | existing | applies | ALLOW | existing | applies | DENY | - | DeleteObjects | existing | applies | ALLOW | existing | applies | ALLOW+DENY | - | DeleteObjects | existing | applies | ALLOW | existing | does not apply | ALLOW | - | DeleteObjects | existing | applies | ALLOW | non-existing | | | - | DeleteObjects | existing | applies | DENY | existing | applies | ALLOW | - | DeleteObjects | existing | applies | DENY | existing | applies | DENY | - | DeleteObjects | existing | applies | DENY | existing | applies | ALLOW+DENY | - | DeleteObjects | existing | applies | DENY | existing | does not apply | ALLOW | - | DeleteObjects | existing | applies | DENY | non-existing | | | - | DeleteObjects | existing | does not apply | ALLOW | existing | applies | ALLOW | - | DeleteObjects | existing | does not apply | ALLOW | existing | applies | DENY | - | DeleteObjects | existing | does not apply | ALLOW | existing | applies | ALLOW+DENY | - | DeleteObjects | existing | does not apply | ALLOW | existing | does not apply | ALLOW | - | DeleteObjects | existing | does not apply | ALLOW | non-existing | | | - | DeleteObjects | non-existing | | | existing | applies | ALLOW | - | DeleteObjects | non-existing | | | existing | applies | DENY | - | DeleteObjects | non-existing | | | existing | applies | ALLOW+DENY | - | DeleteObjects | non-existing | | | existing | does not apply | ALLOW | - | DeleteObjects | non-existing | | | non-existing | | | - | GetBucketAcl | existing | applies | ALLOW | existing | applies | ALLOW | - | GetBucketAcl | existing | applies | ALLOW | existing | applies | DENY | - | GetBucketAcl | existing | applies | ALLOW | existing | applies | ALLOW+DENY | - | GetBucketAcl | existing | applies | ALLOW | existing | does not apply | ALLOW | - | GetBucketAcl | existing | applies | ALLOW | non-existing | | | - | GetBucketAcl | existing | applies | DENY | existing | applies | ALLOW | - | GetBucketAcl | existing | applies | DENY | existing | applies | DENY | - | GetBucketAcl | existing | applies | DENY | existing | applies | ALLOW+DENY | - | GetBucketAcl | existing | applies | DENY | existing | does not apply | ALLOW | - | GetBucketAcl | existing | applies | DENY | non-existing | | | - | GetBucketAcl | existing | does not apply | ALLOW | existing | applies | ALLOW | - | GetBucketAcl | existing | does not apply | ALLOW | existing | applies | DENY | - | GetBucketAcl | existing | does not apply | ALLOW | existing | applies | ALLOW+DENY | - | GetBucketAcl | existing | does not apply | ALLOW | existing | does not apply | ALLOW | - | GetBucketAcl | existing | does not apply | ALLOW | non-existing | | | - | GetBucketAcl | non-existing | | | existing | applies | ALLOW | - | GetBucketAcl | non-existing | | | existing | applies | DENY | - | GetBucketAcl | non-existing | | | existing | applies | ALLOW+DENY | - | GetBucketAcl | non-existing | | | existing | does not apply | ALLOW | - | GetBucketAcl | non-existing | | | non-existing | | | - | GetBucketCors | existing | applies | ALLOW | existing | applies | ALLOW | - | GetBucketCors | existing | applies | ALLOW | existing | applies | DENY | - | GetBucketCors | existing | applies | ALLOW | existing | applies | ALLOW+DENY | - | GetBucketCors | existing | applies | ALLOW | existing | does not apply | ALLOW | - | GetBucketCors | existing | applies | ALLOW | non-existing | | | - | GetBucketCors | existing | applies | DENY | existing | applies | ALLOW | - | GetBucketCors | existing | applies | DENY | existing | applies | DENY | - | GetBucketCors | existing | applies | DENY | existing | applies | ALLOW+DENY | - | GetBucketCors | existing | applies | DENY | existing | does not apply | ALLOW | - | GetBucketCors | existing | applies | DENY | non-existing | | | - | GetBucketCors | existing | does not apply | ALLOW | existing | applies | ALLOW | - | GetBucketCors | existing | does not apply | ALLOW | existing | applies | DENY | - | GetBucketCors | existing | does not apply | ALLOW | existing | applies | ALLOW+DENY | - | GetBucketCors | existing | does not apply | ALLOW | existing | does not apply | ALLOW | - | GetBucketCors | existing | does not apply | ALLOW | non-existing | | | - | GetBucketCors | non-existing | | | existing | applies | ALLOW | - | GetBucketCors | non-existing | | | existing | applies | DENY | - | GetBucketCors | non-existing | | | existing | applies | ALLOW+DENY | - | GetBucketCors | non-existing | | | existing | does not apply | ALLOW | - | GetBucketCors | non-existing | | | non-existing | | | - | GetBucketEncryption | existing | applies | ALLOW | existing | applies | ALLOW | - | GetBucketEncryption | existing | applies | ALLOW | existing | applies | DENY | - | GetBucketEncryption | existing | applies | ALLOW | existing | applies | ALLOW+DENY | - | GetBucketEncryption | existing | applies | ALLOW | existing | does not apply | ALLOW | - | GetBucketEncryption | existing | applies | ALLOW | non-existing | | | - | GetBucketEncryption | existing | applies | DENY | existing | applies | ALLOW | - | GetBucketEncryption | existing | applies | DENY | existing | applies | DENY | - | GetBucketEncryption | existing | applies | DENY | existing | applies | ALLOW+DENY | - | GetBucketEncryption | existing | applies | DENY | existing | does not apply | ALLOW | - | GetBucketEncryption | existing | applies | DENY | non-existing | | | - | GetBucketEncryption | existing | does not apply | ALLOW | existing | applies | ALLOW | - | GetBucketEncryption | existing | does not apply | ALLOW | existing | applies | DENY | - | GetBucketEncryption | existing | does not apply | ALLOW | existing | applies | ALLOW+DENY | - | GetBucketEncryption | existing | does not apply | ALLOW | existing | does not apply | ALLOW | - | GetBucketEncryption | existing | does not apply | ALLOW | non-existing | | | - | GetBucketEncryption | non-existing | | | existing | applies | ALLOW | - | GetBucketEncryption | non-existing | | | existing | applies | DENY | - | GetBucketEncryption | non-existing | | | existing | applies | ALLOW+DENY | - | GetBucketEncryption | non-existing | | | existing | does not apply | ALLOW | - | GetBucketEncryption | non-existing | | | non-existing | | | - | GetBucketLifecycleConfiguration | existing | applies | ALLOW | existing | applies | ALLOW | - | GetBucketLifecycleConfiguration | existing | applies | ALLOW | existing | applies | DENY | - | GetBucketLifecycleConfiguration | existing | applies | ALLOW | existing | applies | ALLOW+DENY | - | GetBucketLifecycleConfiguration | existing | applies | ALLOW | existing | does not apply | ALLOW | - | GetBucketLifecycleConfiguration | existing | applies | ALLOW | non-existing | | | - | GetBucketLifecycleConfiguration | existing | applies | DENY | existing | applies | ALLOW | - | GetBucketLifecycleConfiguration | existing | applies | DENY | existing | applies | DENY | - | GetBucketLifecycleConfiguration | existing | applies | DENY | existing | applies | ALLOW+DENY | - | GetBucketLifecycleConfiguration | existing | applies | DENY | existing | does not apply | ALLOW | - | GetBucketLifecycleConfiguration | existing | applies | DENY | non-existing | | | - | GetBucketLifecycleConfiguration | existing | does not apply | ALLOW | existing | applies | ALLOW | - | GetBucketLifecycleConfiguration | existing | does not apply | ALLOW | existing | applies | DENY | - | GetBucketLifecycleConfiguration | existing | does not apply | ALLOW | existing | applies | ALLOW+DENY | - | GetBucketLifecycleConfiguration | existing | does not apply | ALLOW | existing | does not apply | ALLOW | - | GetBucketLifecycleConfiguration | existing | does not apply | ALLOW | non-existing | | | - | GetBucketLifecycleConfiguration | non-existing | | | existing | applies | ALLOW | - | GetBucketLifecycleConfiguration | non-existing | | | existing | applies | DENY | - | GetBucketLifecycleConfiguration | non-existing | | | existing | applies | ALLOW+DENY | - | GetBucketLifecycleConfiguration | non-existing | | | existing | does not apply | ALLOW | - | GetBucketLifecycleConfiguration | non-existing | | | non-existing | | | - | GetBucketNotificationConfiguration | existing | applies | ALLOW | existing | applies | ALLOW | - | GetBucketNotificationConfiguration | existing | applies | ALLOW | existing | applies | DENY | - | GetBucketNotificationConfiguration | existing | applies | ALLOW | existing | applies | ALLOW+DENY | - | GetBucketNotificationConfiguration | existing | applies | ALLOW | existing | does not apply | ALLOW | - | GetBucketNotificationConfiguration | existing | applies | ALLOW | non-existing | | | - | GetBucketNotificationConfiguration | existing | applies | DENY | existing | applies | ALLOW | - | GetBucketNotificationConfiguration | existing | applies | DENY | existing | applies | DENY | - | GetBucketNotificationConfiguration | existing | applies | DENY | existing | applies | ALLOW+DENY | - | GetBucketNotificationConfiguration | existing | applies | DENY | existing | does not apply | ALLOW | - | GetBucketNotificationConfiguration | existing | applies | DENY | non-existing | | | - | GetBucketNotificationConfiguration | existing | does not apply | ALLOW | existing | applies | ALLOW | - | GetBucketNotificationConfiguration | existing | does not apply | ALLOW | existing | applies | DENY | - | GetBucketNotificationConfiguration | existing | does not apply | ALLOW | existing | applies | ALLOW+DENY | - | GetBucketNotificationConfiguration | existing | does not apply | ALLOW | existing | does not apply | ALLOW | - | GetBucketNotificationConfiguration | existing | does not apply | ALLOW | non-existing | | | - | GetBucketNotificationConfiguration | non-existing | | | existing | applies | ALLOW | - | GetBucketNotificationConfiguration | non-existing | | | existing | applies | DENY | - | GetBucketNotificationConfiguration | non-existing | | | existing | applies | ALLOW+DENY | - | GetBucketNotificationConfiguration | non-existing | | | existing | does not apply | ALLOW | - | GetBucketNotificationConfiguration | non-existing | | | non-existing | | | - | GetBucketPolicy | existing | applies | ALLOW | existing | applies | ALLOW | - | GetBucketPolicy | existing | applies | ALLOW | existing | applies | DENY | - | GetBucketPolicy | existing | applies | ALLOW | existing | applies | ALLOW+DENY | - | GetBucketPolicy | existing | applies | ALLOW | existing | does not apply | ALLOW | - | GetBucketPolicy | existing | applies | ALLOW | non-existing | | | - | GetBucketPolicy | existing | applies | DENY | existing | applies | ALLOW | - | GetBucketPolicy | existing | applies | DENY | existing | applies | DENY | - | GetBucketPolicy | existing | applies | DENY | existing | applies | ALLOW+DENY | - | GetBucketPolicy | existing | applies | DENY | existing | does not apply | ALLOW | - | GetBucketPolicy | existing | applies | DENY | non-existing | | | - | GetBucketPolicy | existing | does not apply | ALLOW | existing | applies | ALLOW | - | GetBucketPolicy | existing | does not apply | ALLOW | existing | applies | DENY | - | GetBucketPolicy | existing | does not apply | ALLOW | existing | applies | ALLOW+DENY | - | GetBucketPolicy | existing | does not apply | ALLOW | existing | does not apply | ALLOW | - | GetBucketPolicy | existing | does not apply | ALLOW | non-existing | | | - | GetBucketPolicy | non-existing | | | existing | applies | ALLOW | - | GetBucketPolicy | non-existing | | | existing | applies | DENY | - | GetBucketPolicy | non-existing | | | existing | applies | ALLOW+DENY | - | GetBucketPolicy | non-existing | | | existing | does not apply | ALLOW | - | GetBucketPolicy | non-existing | | | non-existing | | | - | GetBucketReplication | existing | applies | ALLOW | existing | applies | ALLOW | - | GetBucketReplication | existing | applies | ALLOW | existing | applies | DENY | - | GetBucketReplication | existing | applies | ALLOW | existing | applies | ALLOW+DENY | - | GetBucketReplication | existing | applies | ALLOW | existing | does not apply | ALLOW | - | GetBucketReplication | existing | applies | ALLOW | non-existing | | | - | GetBucketReplication | existing | applies | DENY | existing | applies | ALLOW | - | GetBucketReplication | existing | applies | DENY | existing | applies | DENY | - | GetBucketReplication | existing | applies | DENY | existing | applies | ALLOW+DENY | - | GetBucketReplication | existing | applies | DENY | existing | does not apply | ALLOW | - | GetBucketReplication | existing | applies | DENY | non-existing | | | - | GetBucketReplication | existing | does not apply | ALLOW | existing | applies | ALLOW | - | GetBucketReplication | existing | does not apply | ALLOW | existing | applies | DENY | - | GetBucketReplication | existing | does not apply | ALLOW | existing | applies | ALLOW+DENY | - | GetBucketReplication | existing | does not apply | ALLOW | existing | does not apply | ALLOW | - | GetBucketReplication | existing | does not apply | ALLOW | non-existing | | | - | GetBucketReplication | non-existing | | | existing | applies | ALLOW | - | GetBucketReplication | non-existing | | | existing | applies | DENY | - | GetBucketReplication | non-existing | | | existing | applies | ALLOW+DENY | - | GetBucketReplication | non-existing | | | existing | does not apply | ALLOW | - | GetBucketReplication | non-existing | | | non-existing | | | - | GetBucketVersioning | existing | applies | ALLOW | existing | applies | ALLOW | - | GetBucketVersioning | existing | applies | ALLOW | existing | applies | DENY | - | GetBucketVersioning | existing | applies | ALLOW | existing | applies | ALLOW+DENY | - | GetBucketVersioning | existing | applies | ALLOW | existing | does not apply | ALLOW | - | GetBucketVersioning | existing | applies | ALLOW | non-existing | | | - | GetBucketVersioning | existing | applies | DENY | existing | applies | ALLOW | - | GetBucketVersioning | existing | applies | DENY | existing | applies | DENY | - | GetBucketVersioning | existing | applies | DENY | existing | applies | ALLOW+DENY | - | GetBucketVersioning | existing | applies | DENY | existing | does not apply | ALLOW | - | GetBucketVersioning | existing | applies | DENY | non-existing | | | - | GetBucketVersioning | existing | does not apply | ALLOW | existing | applies | ALLOW | - | GetBucketVersioning | existing | does not apply | ALLOW | existing | applies | DENY | - | GetBucketVersioning | existing | does not apply | ALLOW | existing | applies | ALLOW+DENY | - | GetBucketVersioning | existing | does not apply | ALLOW | existing | does not apply | ALLOW | - | GetBucketVersioning | existing | does not apply | ALLOW | non-existing | | | - | GetBucketVersioning | non-existing | | | existing | applies | ALLOW | - | GetBucketVersioning | non-existing | | | existing | applies | DENY | - | GetBucketVersioning | non-existing | | | existing | applies | ALLOW+DENY | - | GetBucketVersioning | non-existing | | | existing | does not apply | ALLOW | - | GetBucketVersioning | non-existing | | | non-existing | | | - | GetObject | existing | applies | ALLOW | existing | applies | ALLOW | - | GetObject | existing | applies | ALLOW | existing | applies | DENY | - | GetObject | existing | applies | ALLOW | existing | applies | ALLOW+DENY | - | GetObject | existing | applies | ALLOW | existing | does not apply | ALLOW | - | GetObject | existing | applies | ALLOW | non-existing | | | - | GetObject | existing | applies | DENY | existing | applies | ALLOW | - | GetObject | existing | applies | DENY | existing | applies | DENY | - | GetObject | existing | applies | DENY | existing | applies | ALLOW+DENY | - | GetObject | existing | applies | DENY | existing | does not apply | ALLOW | - | GetObject | existing | applies | DENY | non-existing | | | - | GetObject | existing | does not apply | ALLOW | existing | applies | ALLOW | - | GetObject | existing | does not apply | ALLOW | existing | applies | DENY | - | GetObject | existing | does not apply | ALLOW | existing | applies | ALLOW+DENY | - | GetObject | existing | does not apply | ALLOW | existing | does not apply | ALLOW | - | GetObject | existing | does not apply | ALLOW | non-existing | | | - | GetObject | non-existing | | | existing | applies | ALLOW | - | GetObject | non-existing | | | existing | applies | DENY | - | GetObject | non-existing | | | existing | applies | ALLOW+DENY | - | GetObject | non-existing | | | existing | does not apply | ALLOW | - | GetObject | non-existing | | | non-existing | | | - | GetObjectAcl | existing | applies | ALLOW | existing | applies | ALLOW | - | GetObjectAcl | existing | applies | ALLOW | existing | applies | DENY | - | GetObjectAcl | existing | applies | ALLOW | existing | applies | ALLOW+DENY | - | GetObjectAcl | existing | applies | ALLOW | existing | does not apply | ALLOW | - | GetObjectAcl | existing | applies | ALLOW | non-existing | | | - | GetObjectAcl | existing | applies | DENY | existing | applies | ALLOW | - | GetObjectAcl | existing | applies | DENY | existing | applies | DENY | - | GetObjectAcl | existing | applies | DENY | existing | applies | ALLOW+DENY | - | GetObjectAcl | existing | applies | DENY | existing | does not apply | ALLOW | - | GetObjectAcl | existing | applies | DENY | non-existing | | | - | GetObjectAcl | existing | does not apply | ALLOW | existing | applies | ALLOW | - | GetObjectAcl | existing | does not apply | ALLOW | existing | applies | DENY | - | GetObjectAcl | existing | does not apply | ALLOW | existing | applies | ALLOW+DENY | - | GetObjectAcl | existing | does not apply | ALLOW | existing | does not apply | ALLOW | - | GetObjectAcl | existing | does not apply | ALLOW | non-existing | | | - | GetObjectAcl | non-existing | | | existing | applies | ALLOW | - | GetObjectAcl | non-existing | | | existing | applies | DENY | - | GetObjectAcl | non-existing | | | existing | applies | ALLOW+DENY | - | GetObjectAcl | non-existing | | | existing | does not apply | ALLOW | - | GetObjectAcl | non-existing | | | non-existing | | | - | GetObjectLegalHold | existing | applies | ALLOW | existing | applies | ALLOW | - | GetObjectLegalHold | existing | applies | ALLOW | existing | applies | DENY | - | GetObjectLegalHold | existing | applies | ALLOW | existing | applies | ALLOW+DENY | - | GetObjectLegalHold | existing | applies | ALLOW | existing | does not apply | ALLOW | - | GetObjectLegalHold | existing | applies | ALLOW | non-existing | | | - | GetObjectLegalHold | existing | applies | DENY | existing | applies | ALLOW | - | GetObjectLegalHold | existing | applies | DENY | existing | applies | DENY | - | GetObjectLegalHold | existing | applies | DENY | existing | applies | ALLOW+DENY | - | GetObjectLegalHold | existing | applies | DENY | existing | does not apply | ALLOW | - | GetObjectLegalHold | existing | applies | DENY | non-existing | | | - | GetObjectLegalHold | existing | does not apply | ALLOW | existing | applies | ALLOW | - | GetObjectLegalHold | existing | does not apply | ALLOW | existing | applies | DENY | - | GetObjectLegalHold | existing | does not apply | ALLOW | existing | applies | ALLOW+DENY | - | GetObjectLegalHold | existing | does not apply | ALLOW | existing | does not apply | ALLOW | - | GetObjectLegalHold | existing | does not apply | ALLOW | non-existing | | | - | GetObjectLegalHold | non-existing | | | existing | applies | ALLOW | - | GetObjectLegalHold | non-existing | | | existing | applies | DENY | - | GetObjectLegalHold | non-existing | | | existing | applies | ALLOW+DENY | - | GetObjectLegalHold | non-existing | | | existing | does not apply | ALLOW | - | GetObjectLegalHold | non-existing | | | non-existing | | | - | GetObjectLockConfiguration | existing | applies | ALLOW | existing | applies | ALLOW | - | GetObjectLockConfiguration | existing | applies | ALLOW | existing | applies | DENY | - | GetObjectLockConfiguration | existing | applies | ALLOW | existing | applies | ALLOW+DENY | - | GetObjectLockConfiguration | existing | applies | ALLOW | existing | does not apply | ALLOW | - | GetObjectLockConfiguration | existing | applies | ALLOW | non-existing | | | - | GetObjectLockConfiguration | existing | applies | DENY | existing | applies | ALLOW | - | GetObjectLockConfiguration | existing | applies | DENY | existing | applies | DENY | - | GetObjectLockConfiguration | existing | applies | DENY | existing | applies | ALLOW+DENY | - | GetObjectLockConfiguration | existing | applies | DENY | existing | does not apply | ALLOW | - | GetObjectLockConfiguration | existing | applies | DENY | non-existing | | | - | GetObjectLockConfiguration | existing | does not apply | ALLOW | existing | applies | ALLOW | - | GetObjectLockConfiguration | existing | does not apply | ALLOW | existing | applies | DENY | - | GetObjectLockConfiguration | existing | does not apply | ALLOW | existing | applies | ALLOW+DENY | - | GetObjectLockConfiguration | existing | does not apply | ALLOW | existing | does not apply | ALLOW | - | GetObjectLockConfiguration | existing | does not apply | ALLOW | non-existing | | | - | GetObjectLockConfiguration | non-existing | | | existing | applies | ALLOW | - | GetObjectLockConfiguration | non-existing | | | existing | applies | DENY | - | GetObjectLockConfiguration | non-existing | | | existing | applies | ALLOW+DENY | - | GetObjectLockConfiguration | non-existing | | | existing | does not apply | ALLOW | - | GetObjectLockConfiguration | non-existing | | | non-existing | | | - | GetObjectRetention | existing | applies | ALLOW | existing | applies | ALLOW | - | GetObjectRetention | existing | applies | ALLOW | existing | applies | DENY | - | GetObjectRetention | existing | applies | ALLOW | existing | applies | ALLOW+DENY | - | GetObjectRetention | existing | applies | ALLOW | existing | does not apply | ALLOW | - | GetObjectRetention | existing | applies | ALLOW | non-existing | | | - | GetObjectRetention | existing | applies | DENY | existing | applies | ALLOW | - | GetObjectRetention | existing | applies | DENY | existing | applies | DENY | - | GetObjectRetention | existing | applies | DENY | existing | applies | ALLOW+DENY | - | GetObjectRetention | existing | applies | DENY | existing | does not apply | ALLOW | - | GetObjectRetention | existing | applies | DENY | non-existing | | | - | GetObjectRetention | existing | does not apply | ALLOW | existing | applies | ALLOW | - | GetObjectRetention | existing | does not apply | ALLOW | existing | applies | DENY | - | GetObjectRetention | existing | does not apply | ALLOW | existing | applies | ALLOW+DENY | - | GetObjectRetention | existing | does not apply | ALLOW | existing | does not apply | ALLOW | - | GetObjectRetention | existing | does not apply | ALLOW | non-existing | | | - | GetObjectRetention | non-existing | | | existing | applies | ALLOW | - | GetObjectRetention | non-existing | | | existing | applies | DENY | - | GetObjectRetention | non-existing | | | existing | applies | ALLOW+DENY | - | GetObjectRetention | non-existing | | | existing | does not apply | ALLOW | - | GetObjectRetention | non-existing | | | non-existing | | | - | GetBucketTagging | existing | applies | ALLOW | existing | applies | ALLOW | - | GetBucketTagging | existing | applies | ALLOW | existing | applies | DENY | - | GetBucketTagging | existing | applies | ALLOW | existing | applies | ALLOW+DENY | - | GetBucketTagging | existing | applies | ALLOW | existing | does not apply | ALLOW | - | GetBucketTagging | existing | applies | ALLOW | non-existing | | | - | GetBucketTagging | existing | applies | DENY | existing | applies | ALLOW | - | GetBucketTagging | existing | applies | DENY | existing | applies | DENY | - | GetBucketTagging | existing | applies | DENY | existing | applies | ALLOW+DENY | - | GetBucketTagging | existing | applies | DENY | existing | does not apply | ALLOW | - | GetBucketTagging | existing | applies | DENY | non-existing | | | - | GetBucketTagging | existing | does not apply | ALLOW | existing | applies | ALLOW | - | GetBucketTagging | existing | does not apply | ALLOW | existing | applies | DENY | - | GetBucketTagging | existing | does not apply | ALLOW | existing | applies | ALLOW+DENY | - | GetBucketTagging | existing | does not apply | ALLOW | existing | does not apply | ALLOW | - | GetBucketTagging | existing | does not apply | ALLOW | non-existing | | | - | GetBucketTagging | non-existing | | | existing | applies | ALLOW | - | GetBucketTagging | non-existing | | | existing | applies | DENY | - | GetBucketTagging | non-existing | | | existing | applies | ALLOW+DENY | - | GetBucketTagging | non-existing | | | existing | does not apply | ALLOW | - | GetBucketTagging | non-existing | | | non-existing | | | - | GetObjectTagging | existing | applies | ALLOW | existing | applies | ALLOW | - | GetObjectTagging | existing | applies | ALLOW | existing | applies | DENY | - | GetObjectTagging | existing | applies | ALLOW | existing | applies | ALLOW+DENY | - | GetObjectTagging | existing | applies | ALLOW | existing | does not apply | ALLOW | - | GetObjectTagging | existing | applies | ALLOW | non-existing | | | - | GetObjectTagging | existing | applies | DENY | existing | applies | ALLOW | - | GetObjectTagging | existing | applies | DENY | existing | applies | DENY | - | GetObjectTagging | existing | applies | DENY | existing | applies | ALLOW+DENY | - | GetObjectTagging | existing | applies | DENY | existing | does not apply | ALLOW | - | GetObjectTagging | existing | applies | DENY | non-existing | | | - | GetObjectTagging | existing | does not apply | ALLOW | existing | applies | ALLOW | - | GetObjectTagging | existing | does not apply | ALLOW | existing | applies | DENY | - | GetObjectTagging | existing | does not apply | ALLOW | existing | applies | ALLOW+DENY | - | GetObjectTagging | existing | does not apply | ALLOW | existing | does not apply | ALLOW | - | GetObjectTagging | existing | does not apply | ALLOW | non-existing | | | - | GetObjectTagging | non-existing | | | existing | applies | ALLOW | - | GetObjectTagging | non-existing | | | existing | applies | DENY | - | GetObjectTagging | non-existing | | | existing | applies | ALLOW+DENY | - | GetObjectTagging | non-existing | | | existing | does not apply | ALLOW | - | GetObjectTagging | non-existing | | | non-existing | | | - | HeadBucket | existing | applies | ALLOW | existing | applies | ALLOW | - | HeadBucket | existing | applies | ALLOW | existing | applies | DENY | - | HeadBucket | existing | applies | ALLOW | existing | applies | ALLOW+DENY | - | HeadBucket | existing | applies | ALLOW | existing | does not apply | ALLOW | - | HeadBucket | existing | applies | ALLOW | non-existing | | | - | HeadBucket | existing | applies | DENY | existing | applies | ALLOW | - | HeadBucket | existing | applies | DENY | existing | applies | DENY | - | HeadBucket | existing | applies | DENY | existing | applies | ALLOW+DENY | - | HeadBucket | existing | applies | DENY | existing | does not apply | ALLOW | - | HeadBucket | existing | applies | DENY | non-existing | | | - | HeadBucket | existing | does not apply | ALLOW | existing | applies | ALLOW | - | HeadBucket | existing | does not apply | ALLOW | existing | applies | DENY | - | HeadBucket | existing | does not apply | ALLOW | existing | applies | ALLOW+DENY | - | HeadBucket | existing | does not apply | ALLOW | existing | does not apply | ALLOW | - | HeadBucket | existing | does not apply | ALLOW | non-existing | | | - | HeadBucket | non-existing | | | existing | applies | ALLOW | - | HeadBucket | non-existing | | | existing | applies | DENY | - | HeadBucket | non-existing | | | existing | applies | ALLOW+DENY | - | HeadBucket | non-existing | | | existing | does not apply | ALLOW | - | HeadBucket | non-existing | | | non-existing | | | - | HeadObject | existing | applies | ALLOW | existing | applies | ALLOW | - | HeadObject | existing | applies | ALLOW | existing | applies | DENY | - | HeadObject | existing | applies | ALLOW | existing | applies | ALLOW+DENY | - | HeadObject | existing | applies | ALLOW | existing | does not apply | ALLOW | - | HeadObject | existing | applies | ALLOW | non-existing | | | - | HeadObject | existing | applies | DENY | existing | applies | ALLOW | - | HeadObject | existing | applies | DENY | existing | applies | DENY | - | HeadObject | existing | applies | DENY | existing | applies | ALLOW+DENY | - | HeadObject | existing | applies | DENY | existing | does not apply | ALLOW | - | HeadObject | existing | applies | DENY | non-existing | | | - | HeadObject | existing | does not apply | ALLOW | existing | applies | ALLOW | - | HeadObject | existing | does not apply | ALLOW | existing | applies | DENY | - | HeadObject | existing | does not apply | ALLOW | existing | applies | ALLOW+DENY | - | HeadObject | existing | does not apply | ALLOW | existing | does not apply | ALLOW | - | HeadObject | existing | does not apply | ALLOW | non-existing | | | - | HeadObject | non-existing | | | existing | applies | ALLOW | - | HeadObject | non-existing | | | existing | applies | DENY | - | HeadObject | non-existing | | | existing | applies | ALLOW+DENY | - | HeadObject | non-existing | | | existing | does not apply | ALLOW | - | HeadObject | non-existing | | | non-existing | | | - | ListMultipartUploads | existing | applies | ALLOW | existing | applies | ALLOW | - | ListMultipartUploads | existing | applies | ALLOW | existing | applies | DENY | - | ListMultipartUploads | existing | applies | ALLOW | existing | applies | ALLOW+DENY | - | ListMultipartUploads | existing | applies | ALLOW | existing | does not apply | ALLOW | - | ListMultipartUploads | existing | applies | ALLOW | non-existing | | | - | ListMultipartUploads | existing | applies | DENY | existing | applies | ALLOW | - | ListMultipartUploads | existing | applies | DENY | existing | applies | DENY | - | ListMultipartUploads | existing | applies | DENY | existing | applies | ALLOW+DENY | - | ListMultipartUploads | existing | applies | DENY | existing | does not apply | ALLOW | - | ListMultipartUploads | existing | applies | DENY | non-existing | | | - | ListMultipartUploads | existing | does not apply | ALLOW | existing | applies | ALLOW | - | ListMultipartUploads | existing | does not apply | ALLOW | existing | applies | DENY | - | ListMultipartUploads | existing | does not apply | ALLOW | existing | applies | ALLOW+DENY | - | ListMultipartUploads | existing | does not apply | ALLOW | existing | does not apply | ALLOW | - | ListMultipartUploads | existing | does not apply | ALLOW | non-existing | | | - | ListMultipartUploads | non-existing | | | existing | applies | ALLOW | - | ListMultipartUploads | non-existing | | | existing | applies | DENY | - | ListMultipartUploads | non-existing | | | existing | applies | ALLOW+DENY | - | ListMultipartUploads | non-existing | | | existing | does not apply | ALLOW | - | ListMultipartUploads | non-existing | | | non-existing | | | - | ListObjectVersions | existing | applies | ALLOW | existing | applies | ALLOW | - | ListObjectVersions | existing | applies | ALLOW | existing | applies | DENY | - | ListObjectVersions | existing | applies | ALLOW | existing | applies | ALLOW+DENY | - | ListObjectVersions | existing | applies | ALLOW | existing | does not apply | ALLOW | - | ListObjectVersions | existing | applies | ALLOW | non-existing | | | - | ListObjectVersions | existing | applies | DENY | existing | applies | ALLOW | - | ListObjectVersions | existing | applies | DENY | existing | applies | DENY | - | ListObjectVersions | existing | applies | DENY | existing | applies | ALLOW+DENY | - | ListObjectVersions | existing | applies | DENY | existing | does not apply | ALLOW | - | ListObjectVersions | existing | applies | DENY | non-existing | | | - | ListObjectVersions | existing | does not apply | ALLOW | existing | applies | ALLOW | - | ListObjectVersions | existing | does not apply | ALLOW | existing | applies | DENY | - | ListObjectVersions | existing | does not apply | ALLOW | existing | applies | ALLOW+DENY | - | ListObjectVersions | existing | does not apply | ALLOW | existing | does not apply | ALLOW | - | ListObjectVersions | existing | does not apply | ALLOW | non-existing | | | - | ListObjectVersions | non-existing | | | existing | applies | ALLOW | - | ListObjectVersions | non-existing | | | existing | applies | DENY | - | ListObjectVersions | non-existing | | | existing | applies | ALLOW+DENY | - | ListObjectVersions | non-existing | | | existing | does not apply | ALLOW | - | ListObjectVersions | non-existing | | | non-existing | | | - | ListObjects | existing | applies | ALLOW | existing | applies | ALLOW | - | ListObjects | existing | applies | ALLOW | existing | applies | DENY | - | ListObjects | existing | applies | ALLOW | existing | applies | ALLOW+DENY | - | ListObjects | existing | applies | ALLOW | existing | does not apply | ALLOW | - | ListObjects | existing | applies | ALLOW | non-existing | | | - | ListObjects | existing | applies | DENY | existing | applies | ALLOW | - | ListObjects | existing | applies | DENY | existing | applies | DENY | - | ListObjects | existing | applies | DENY | existing | applies | ALLOW+DENY | - | ListObjects | existing | applies | DENY | existing | does not apply | ALLOW | - | ListObjects | existing | applies | DENY | non-existing | | | - | ListObjects | existing | does not apply | ALLOW | existing | applies | ALLOW | - | ListObjects | existing | does not apply | ALLOW | existing | applies | DENY | - | ListObjects | existing | does not apply | ALLOW | existing | applies | ALLOW+DENY | - | ListObjects | existing | does not apply | ALLOW | existing | does not apply | ALLOW | - | ListObjects | existing | does not apply | ALLOW | non-existing | | | - | ListObjects | non-existing | | | existing | applies | ALLOW | - | ListObjects | non-existing | | | existing | applies | DENY | - | ListObjects | non-existing | | | existing | applies | ALLOW+DENY | - | ListObjects | non-existing | | | existing | does not apply | ALLOW | - | ListObjects | non-existing | | | non-existing | | | - | ListObjectsV2 | existing | applies | ALLOW | existing | applies | ALLOW | - | ListObjectsV2 | existing | applies | ALLOW | existing | applies | DENY | - | ListObjectsV2 | existing | applies | ALLOW | existing | applies | ALLOW+DENY | - | ListObjectsV2 | existing | applies | ALLOW | existing | does not apply | ALLOW | - | ListObjectsV2 | existing | applies | ALLOW | non-existing | | | - | ListObjectsV2 | existing | applies | DENY | existing | applies | ALLOW | - | ListObjectsV2 | existing | applies | DENY | existing | applies | DENY | - | ListObjectsV2 | existing | applies | DENY | existing | applies | ALLOW+DENY | - | ListObjectsV2 | existing | applies | DENY | existing | does not apply | ALLOW | - | ListObjectsV2 | existing | applies | DENY | non-existing | | | - | ListObjectsV2 | existing | does not apply | ALLOW | existing | applies | ALLOW | - | ListObjectsV2 | existing | does not apply | ALLOW | existing | applies | DENY | - | ListObjectsV2 | existing | does not apply | ALLOW | existing | applies | ALLOW+DENY | - | ListObjectsV2 | existing | does not apply | ALLOW | existing | does not apply | ALLOW | - | ListObjectsV2 | existing | does not apply | ALLOW | non-existing | | | - | ListObjectsV2 | non-existing | | | existing | applies | ALLOW | - | ListObjectsV2 | non-existing | | | existing | applies | DENY | - | ListObjectsV2 | non-existing | | | existing | applies | ALLOW+DENY | - | ListObjectsV2 | non-existing | | | existing | does not apply | ALLOW | - | ListObjectsV2 | non-existing | | | non-existing | | | - | PutBucketAcl | existing | applies | ALLOW | existing | applies | ALLOW | - | PutBucketAcl | existing | applies | ALLOW | existing | applies | DENY | - | PutBucketAcl | existing | applies | ALLOW | existing | applies | ALLOW+DENY | - | PutBucketAcl | existing | applies | ALLOW | existing | does not apply | ALLOW | - | PutBucketAcl | existing | applies | ALLOW | non-existing | | | - | PutBucketAcl | existing | applies | DENY | existing | applies | ALLOW | - | PutBucketAcl | existing | applies | DENY | existing | applies | DENY | - | PutBucketAcl | existing | applies | DENY | existing | applies | ALLOW+DENY | - | PutBucketAcl | existing | applies | DENY | existing | does not apply | ALLOW | - | PutBucketAcl | existing | applies | DENY | non-existing | | | - | PutBucketAcl | existing | does not apply | ALLOW | existing | applies | ALLOW | - | PutBucketAcl | existing | does not apply | ALLOW | existing | applies | DENY | - | PutBucketAcl | existing | does not apply | ALLOW | existing | applies | ALLOW+DENY | - | PutBucketAcl | existing | does not apply | ALLOW | existing | does not apply | ALLOW | - | PutBucketAcl | existing | does not apply | ALLOW | non-existing | | | - | PutBucketAcl | non-existing | | | existing | applies | ALLOW | - | PutBucketAcl | non-existing | | | existing | applies | DENY | - | PutBucketAcl | non-existing | | | existing | applies | ALLOW+DENY | - | PutBucketAcl | non-existing | | | existing | does not apply | ALLOW | - | PutBucketAcl | non-existing | | | non-existing | | | - | PutBucketCors | existing | applies | ALLOW | existing | applies | ALLOW | - | PutBucketCors | existing | applies | ALLOW | existing | applies | DENY | - | PutBucketCors | existing | applies | ALLOW | existing | applies | ALLOW+DENY | - | PutBucketCors | existing | applies | ALLOW | existing | does not apply | ALLOW | - | PutBucketCors | existing | applies | ALLOW | non-existing | | | - | PutBucketCors | existing | applies | DENY | existing | applies | ALLOW | - | PutBucketCors | existing | applies | DENY | existing | applies | DENY | - | PutBucketCors | existing | applies | DENY | existing | applies | ALLOW+DENY | - | PutBucketCors | existing | applies | DENY | existing | does not apply | ALLOW | - | PutBucketCors | existing | applies | DENY | non-existing | | | - | PutBucketCors | existing | does not apply | ALLOW | existing | applies | ALLOW | - | PutBucketCors | existing | does not apply | ALLOW | existing | applies | DENY | - | PutBucketCors | existing | does not apply | ALLOW | existing | applies | ALLOW+DENY | - | PutBucketCors | existing | does not apply | ALLOW | existing | does not apply | ALLOW | - | PutBucketCors | existing | does not apply | ALLOW | non-existing | | | - | PutBucketCors | non-existing | | | existing | applies | ALLOW | - | PutBucketCors | non-existing | | | existing | applies | DENY | - | PutBucketCors | non-existing | | | existing | applies | ALLOW+DENY | - | PutBucketCors | non-existing | | | existing | does not apply | ALLOW | - | PutBucketCors | non-existing | | | non-existing | | | - | PutBucketEncryption | existing | applies | ALLOW | existing | applies | ALLOW | - | PutBucketEncryption | existing | applies | ALLOW | existing | applies | DENY | - | PutBucketEncryption | existing | applies | ALLOW | existing | applies | ALLOW+DENY | - | PutBucketEncryption | existing | applies | ALLOW | existing | does not apply | ALLOW | - | PutBucketEncryption | existing | applies | ALLOW | non-existing | | | - | PutBucketEncryption | existing | applies | DENY | existing | applies | ALLOW | - | PutBucketEncryption | existing | applies | DENY | existing | applies | DENY | - | PutBucketEncryption | existing | applies | DENY | existing | applies | ALLOW+DENY | - | PutBucketEncryption | existing | applies | DENY | existing | does not apply | ALLOW | - | PutBucketEncryption | existing | applies | DENY | non-existing | | | - | PutBucketEncryption | existing | does not apply | ALLOW | existing | applies | ALLOW | - | PutBucketEncryption | existing | does not apply | ALLOW | existing | applies | DENY | - | PutBucketEncryption | existing | does not apply | ALLOW | existing | applies | ALLOW+DENY | - | PutBucketEncryption | existing | does not apply | ALLOW | existing | does not apply | ALLOW | - | PutBucketEncryption | existing | does not apply | ALLOW | non-existing | | | - | PutBucketEncryption | non-existing | | | existing | applies | ALLOW | - | PutBucketEncryption | non-existing | | | existing | applies | DENY | - | PutBucketEncryption | non-existing | | | existing | applies | ALLOW+DENY | - | PutBucketEncryption | non-existing | | | existing | does not apply | ALLOW | - | PutBucketEncryption | non-existing | | | non-existing | | | - | PutBucketLifecycleConfiguration | existing | applies | ALLOW | existing | applies | ALLOW | - | PutBucketLifecycleConfiguration | existing | applies | ALLOW | existing | applies | DENY | - | PutBucketLifecycleConfiguration | existing | applies | ALLOW | existing | applies | ALLOW+DENY | - | PutBucketLifecycleConfiguration | existing | applies | ALLOW | existing | does not apply | ALLOW | - | PutBucketLifecycleConfiguration | existing | applies | ALLOW | non-existing | | | - | PutBucketLifecycleConfiguration | existing | applies | DENY | existing | applies | ALLOW | - | PutBucketLifecycleConfiguration | existing | applies | DENY | existing | applies | DENY | - | PutBucketLifecycleConfiguration | existing | applies | DENY | existing | applies | ALLOW+DENY | - | PutBucketLifecycleConfiguration | existing | applies | DENY | existing | does not apply | ALLOW | - | PutBucketLifecycleConfiguration | existing | applies | DENY | non-existing | | | - | PutBucketLifecycleConfiguration | existing | does not apply | ALLOW | existing | applies | ALLOW | - | PutBucketLifecycleConfiguration | existing | does not apply | ALLOW | existing | applies | DENY | - | PutBucketLifecycleConfiguration | existing | does not apply | ALLOW | existing | applies | ALLOW+DENY | - | PutBucketLifecycleConfiguration | existing | does not apply | ALLOW | existing | does not apply | ALLOW | - | PutBucketLifecycleConfiguration | existing | does not apply | ALLOW | non-existing | | | - | PutBucketLifecycleConfiguration | non-existing | | | existing | applies | ALLOW | - | PutBucketLifecycleConfiguration | non-existing | | | existing | applies | DENY | - | PutBucketLifecycleConfiguration | non-existing | | | existing | applies | ALLOW+DENY | - | PutBucketLifecycleConfiguration | non-existing | | | existing | does not apply | ALLOW | - | PutBucketLifecycleConfiguration | non-existing | | | non-existing | | | - | PutBucketNotificationConfiguration | existing | applies | ALLOW | existing | applies | ALLOW | - | PutBucketNotificationConfiguration | existing | applies | ALLOW | existing | applies | DENY | - | PutBucketNotificationConfiguration | existing | applies | ALLOW | existing | applies | ALLOW+DENY | - | PutBucketNotificationConfiguration | existing | applies | ALLOW | existing | does not apply | ALLOW | - | PutBucketNotificationConfiguration | existing | applies | ALLOW | non-existing | | | - | PutBucketNotificationConfiguration | existing | applies | DENY | existing | applies | ALLOW | - | PutBucketNotificationConfiguration | existing | applies | DENY | existing | applies | DENY | - | PutBucketNotificationConfiguration | existing | applies | DENY | existing | applies | ALLOW+DENY | - | PutBucketNotificationConfiguration | existing | applies | DENY | existing | does not apply | ALLOW | - | PutBucketNotificationConfiguration | existing | applies | DENY | non-existing | | | - | PutBucketNotificationConfiguration | existing | does not apply | ALLOW | existing | applies | ALLOW | - | PutBucketNotificationConfiguration | existing | does not apply | ALLOW | existing | applies | DENY | - | PutBucketNotificationConfiguration | existing | does not apply | ALLOW | existing | applies | ALLOW+DENY | - | PutBucketNotificationConfiguration | existing | does not apply | ALLOW | existing | does not apply | ALLOW | - | PutBucketNotificationConfiguration | existing | does not apply | ALLOW | non-existing | | | - | PutBucketNotificationConfiguration | non-existing | | | existing | applies | ALLOW | - | PutBucketNotificationConfiguration | non-existing | | | existing | applies | DENY | - | PutBucketNotificationConfiguration | non-existing | | | existing | applies | ALLOW+DENY | - | PutBucketNotificationConfiguration | non-existing | | | existing | does not apply | ALLOW | - | PutBucketNotificationConfiguration | non-existing | | | non-existing | | | - | PutBucketPolicy | existing | applies | ALLOW | existing | applies | ALLOW | - | PutBucketPolicy | existing | applies | ALLOW | existing | applies | DENY | - | PutBucketPolicy | existing | applies | ALLOW | existing | applies | ALLOW+DENY | - | PutBucketPolicy | existing | applies | ALLOW | existing | does not apply | ALLOW | - | PutBucketPolicy | existing | applies | ALLOW | non-existing | | | - | PutBucketPolicy | existing | applies | DENY | existing | applies | ALLOW | - | PutBucketPolicy | existing | applies | DENY | existing | applies | DENY | - | PutBucketPolicy | existing | applies | DENY | existing | applies | ALLOW+DENY | - | PutBucketPolicy | existing | applies | DENY | existing | does not apply | ALLOW | - | PutBucketPolicy | existing | applies | DENY | non-existing | | | - | PutBucketPolicy | existing | does not apply | ALLOW | existing | applies | ALLOW | - | PutBucketPolicy | existing | does not apply | ALLOW | existing | applies | DENY | - | PutBucketPolicy | existing | does not apply | ALLOW | existing | applies | ALLOW+DENY | - | PutBucketPolicy | existing | does not apply | ALLOW | existing | does not apply | ALLOW | - | PutBucketPolicy | existing | does not apply | ALLOW | non-existing | | | - | PutBucketPolicy | non-existing | | | existing | applies | ALLOW | - | PutBucketPolicy | non-existing | | | existing | applies | DENY | - | PutBucketPolicy | non-existing | | | existing | applies | ALLOW+DENY | - | PutBucketPolicy | non-existing | | | existing | does not apply | ALLOW | - | PutBucketPolicy | non-existing | | | non-existing | | | - | PutBucketReplication | existing | applies | ALLOW | existing | applies | ALLOW | - | PutBucketReplication | existing | applies | ALLOW | existing | applies | DENY | - | PutBucketReplication | existing | applies | ALLOW | existing | applies | ALLOW+DENY | - | PutBucketReplication | existing | applies | ALLOW | existing | does not apply | ALLOW | - | PutBucketReplication | existing | applies | ALLOW | non-existing | | | - | PutBucketReplication | existing | applies | DENY | existing | applies | ALLOW | - | PutBucketReplication | existing | applies | DENY | existing | applies | DENY | - | PutBucketReplication | existing | applies | DENY | existing | applies | ALLOW+DENY | - | PutBucketReplication | existing | applies | DENY | existing | does not apply | ALLOW | - | PutBucketReplication | existing | applies | DENY | non-existing | | | - | PutBucketReplication | existing | does not apply | ALLOW | existing | applies | ALLOW | - | PutBucketReplication | existing | does not apply | ALLOW | existing | applies | DENY | - | PutBucketReplication | existing | does not apply | ALLOW | existing | applies | ALLOW+DENY | - | PutBucketReplication | existing | does not apply | ALLOW | existing | does not apply | ALLOW | - | PutBucketReplication | existing | does not apply | ALLOW | non-existing | | | - | PutBucketReplication | non-existing | | | existing | applies | ALLOW | - | PutBucketReplication | non-existing | | | existing | applies | DENY | - | PutBucketReplication | non-existing | | | existing | applies | ALLOW+DENY | - | PutBucketReplication | non-existing | | | existing | does not apply | ALLOW | - | PutBucketReplication | non-existing | | | non-existing | | | - | PutBucketVersioning | existing | applies | ALLOW | existing | applies | ALLOW | - | PutBucketVersioning | existing | applies | ALLOW | existing | applies | DENY | - | PutBucketVersioning | existing | applies | ALLOW | existing | applies | ALLOW+DENY | - | PutBucketVersioning | existing | applies | ALLOW | existing | does not apply | ALLOW | - | PutBucketVersioning | existing | applies | ALLOW | non-existing | | | - | PutBucketVersioning | existing | applies | DENY | existing | applies | ALLOW | - | PutBucketVersioning | existing | applies | DENY | existing | applies | DENY | - | PutBucketVersioning | existing | applies | DENY | existing | applies | ALLOW+DENY | - | PutBucketVersioning | existing | applies | DENY | existing | does not apply | ALLOW | - | PutBucketVersioning | existing | applies | DENY | non-existing | | | - | PutBucketVersioning | existing | does not apply | ALLOW | existing | applies | ALLOW | - | PutBucketVersioning | existing | does not apply | ALLOW | existing | applies | DENY | - | PutBucketVersioning | existing | does not apply | ALLOW | existing | applies | ALLOW+DENY | - | PutBucketVersioning | existing | does not apply | ALLOW | existing | does not apply | ALLOW | - | PutBucketVersioning | existing | does not apply | ALLOW | non-existing | | | - | PutBucketVersioning | non-existing | | | existing | applies | ALLOW | - | PutBucketVersioning | non-existing | | | existing | applies | DENY | - | PutBucketVersioning | non-existing | | | existing | applies | ALLOW+DENY | - | PutBucketVersioning | non-existing | | | existing | does not apply | ALLOW | - | PutBucketVersioning | non-existing | | | non-existing | | | - | PutObject | existing | applies | ALLOW | existing | applies | ALLOW | - | PutObject | existing | applies | ALLOW | existing | applies | DENY | - | PutObject | existing | applies | ALLOW | existing | applies | ALLOW+DENY | - | PutObject | existing | applies | ALLOW | existing | does not apply | ALLOW | - | PutObject | existing | applies | ALLOW | non-existing | | | - | PutObject | existing | applies | DENY | existing | applies | ALLOW | - | PutObject | existing | applies | DENY | existing | applies | DENY | - | PutObject | existing | applies | DENY | existing | applies | ALLOW+DENY | - | PutObject | existing | applies | DENY | existing | does not apply | ALLOW | - | PutObject | existing | applies | DENY | non-existing | | | - | PutObject | existing | does not apply | ALLOW | existing | applies | ALLOW | - | PutObject | existing | does not apply | ALLOW | existing | applies | DENY | - | PutObject | existing | does not apply | ALLOW | existing | applies | ALLOW+DENY | - | PutObject | existing | does not apply | ALLOW | existing | does not apply | ALLOW | - | PutObject | existing | does not apply | ALLOW | non-existing | | | - | PutObject | non-existing | | | existing | applies | ALLOW | - | PutObject | non-existing | | | existing | applies | DENY | - | PutObject | non-existing | | | existing | applies | ALLOW+DENY | - | PutObject | non-existing | | | existing | does not apply | ALLOW | - | PutObject | non-existing | | | non-existing | | | - | PutObjectAcl | existing | applies | ALLOW | existing | applies | ALLOW | - | PutObjectAcl | existing | applies | ALLOW | existing | applies | DENY | - | PutObjectAcl | existing | applies | ALLOW | existing | applies | ALLOW+DENY | - | PutObjectAcl | existing | applies | ALLOW | existing | does not apply | ALLOW | - | PutObjectAcl | existing | applies | ALLOW | non-existing | | | - | PutObjectAcl | existing | applies | DENY | existing | applies | ALLOW | - | PutObjectAcl | existing | applies | DENY | existing | applies | DENY | - | PutObjectAcl | existing | applies | DENY | existing | applies | ALLOW+DENY | - | PutObjectAcl | existing | applies | DENY | existing | does not apply | ALLOW | - | PutObjectAcl | existing | applies | DENY | non-existing | | | - | PutObjectAcl | existing | does not apply | ALLOW | existing | applies | ALLOW | - | PutObjectAcl | existing | does not apply | ALLOW | existing | applies | DENY | - | PutObjectAcl | existing | does not apply | ALLOW | existing | applies | ALLOW+DENY | - | PutObjectAcl | existing | does not apply | ALLOW | existing | does not apply | ALLOW | - | PutObjectAcl | existing | does not apply | ALLOW | non-existing | | | - | PutObjectAcl | non-existing | | | existing | applies | ALLOW | - | PutObjectAcl | non-existing | | | existing | applies | DENY | - | PutObjectAcl | non-existing | | | existing | applies | ALLOW+DENY | - | PutObjectAcl | non-existing | | | existing | does not apply | ALLOW | - | PutObjectAcl | non-existing | | | non-existing | | | - | PutObjectLegalHold | existing | applies | ALLOW | existing | applies | ALLOW | - | PutObjectLegalHold | existing | applies | ALLOW | existing | applies | DENY | - | PutObjectLegalHold | existing | applies | ALLOW | existing | applies | ALLOW+DENY | - | PutObjectLegalHold | existing | applies | ALLOW | existing | does not apply | ALLOW | - | PutObjectLegalHold | existing | applies | ALLOW | non-existing | | | - | PutObjectLegalHold | existing | applies | DENY | existing | applies | ALLOW | - | PutObjectLegalHold | existing | applies | DENY | existing | applies | DENY | - | PutObjectLegalHold | existing | applies | DENY | existing | applies | ALLOW+DENY | - | PutObjectLegalHold | existing | applies | DENY | existing | does not apply | ALLOW | - | PutObjectLegalHold | existing | applies | DENY | non-existing | | | - | PutObjectLegalHold | existing | does not apply | ALLOW | existing | applies | ALLOW | - | PutObjectLegalHold | existing | does not apply | ALLOW | existing | applies | DENY | - | PutObjectLegalHold | existing | does not apply | ALLOW | existing | applies | ALLOW+DENY | - | PutObjectLegalHold | existing | does not apply | ALLOW | existing | does not apply | ALLOW | - | PutObjectLegalHold | existing | does not apply | ALLOW | non-existing | | | - | PutObjectLegalHold | non-existing | | | existing | applies | ALLOW | - | PutObjectLegalHold | non-existing | | | existing | applies | DENY | - | PutObjectLegalHold | non-existing | | | existing | applies | ALLOW+DENY | - | PutObjectLegalHold | non-existing | | | existing | does not apply | ALLOW | - | PutObjectLegalHold | non-existing | | | non-existing | | | - | PutObjectLockConfiguration | existing | applies | ALLOW | existing | applies | ALLOW | - | PutObjectLockConfiguration | existing | applies | ALLOW | existing | applies | DENY | - | PutObjectLockConfiguration | existing | applies | ALLOW | existing | applies | ALLOW+DENY | - | PutObjectLockConfiguration | existing | applies | ALLOW | existing | does not apply | ALLOW | - | PutObjectLockConfiguration | existing | applies | ALLOW | non-existing | | | - | PutObjectLockConfiguration | existing | applies | DENY | existing | applies | ALLOW | - | PutObjectLockConfiguration | existing | applies | DENY | existing | applies | DENY | - | PutObjectLockConfiguration | existing | applies | DENY | existing | applies | ALLOW+DENY | - | PutObjectLockConfiguration | existing | applies | DENY | existing | does not apply | ALLOW | - | PutObjectLockConfiguration | existing | applies | DENY | non-existing | | | - | PutObjectLockConfiguration | existing | does not apply | ALLOW | existing | applies | ALLOW | - | PutObjectLockConfiguration | existing | does not apply | ALLOW | existing | applies | DENY | - | PutObjectLockConfiguration | existing | does not apply | ALLOW | existing | applies | ALLOW+DENY | - | PutObjectLockConfiguration | existing | does not apply | ALLOW | existing | does not apply | ALLOW | - | PutObjectLockConfiguration | existing | does not apply | ALLOW | non-existing | | | - | PutObjectLockConfiguration | non-existing | | | existing | applies | ALLOW | - | PutObjectLockConfiguration | non-existing | | | existing | applies | DENY | - | PutObjectLockConfiguration | non-existing | | | existing | applies | ALLOW+DENY | - | PutObjectLockConfiguration | non-existing | | | existing | does not apply | ALLOW | - | PutObjectLockConfiguration | non-existing | | | non-existing | | | - | PutObjectRetention | existing | applies | ALLOW | existing | applies | ALLOW | - | PutObjectRetention | existing | applies | ALLOW | existing | applies | DENY | - | PutObjectRetention | existing | applies | ALLOW | existing | applies | ALLOW+DENY | - | PutObjectRetention | existing | applies | ALLOW | existing | does not apply | ALLOW | - | PutObjectRetention | existing | applies | ALLOW | non-existing | | | - | PutObjectRetention | existing | applies | DENY | existing | applies | ALLOW | - | PutObjectRetention | existing | applies | DENY | existing | applies | DENY | - | PutObjectRetention | existing | applies | DENY | existing | applies | ALLOW+DENY | - | PutObjectRetention | existing | applies | DENY | existing | does not apply | ALLOW | - | PutObjectRetention | existing | applies | DENY | non-existing | | | - | PutObjectRetention | existing | does not apply | ALLOW | existing | applies | ALLOW | - | PutObjectRetention | existing | does not apply | ALLOW | existing | applies | DENY | - | PutObjectRetention | existing | does not apply | ALLOW | existing | applies | ALLOW+DENY | - | PutObjectRetention | existing | does not apply | ALLOW | existing | does not apply | ALLOW | - | PutObjectRetention | existing | does not apply | ALLOW | non-existing | | | - | PutObjectRetention | non-existing | | | existing | applies | ALLOW | - | PutObjectRetention | non-existing | | | existing | applies | DENY | - | PutObjectRetention | non-existing | | | existing | applies | ALLOW+DENY | - | PutObjectRetention | non-existing | | | existing | does not apply | ALLOW | - | PutObjectRetention | non-existing | | | non-existing | | | - | PutBucketTagging | existing | applies | ALLOW | existing | applies | ALLOW | - | PutBucketTagging | existing | applies | ALLOW | existing | applies | DENY | - | PutBucketTagging | existing | applies | ALLOW | existing | applies | ALLOW+DENY | - | PutBucketTagging | existing | applies | ALLOW | existing | does not apply | ALLOW | - | PutBucketTagging | existing | applies | ALLOW | non-existing | | | - | PutBucketTagging | existing | applies | DENY | existing | applies | ALLOW | - | PutBucketTagging | existing | applies | DENY | existing | applies | DENY | - | PutBucketTagging | existing | applies | DENY | existing | applies | ALLOW+DENY | - | PutBucketTagging | existing | applies | DENY | existing | does not apply | ALLOW | - | PutBucketTagging | existing | applies | DENY | non-existing | | | - | PutBucketTagging | existing | does not apply | ALLOW | existing | applies | ALLOW | - | PutBucketTagging | existing | does not apply | ALLOW | existing | applies | DENY | - | PutBucketTagging | existing | does not apply | ALLOW | existing | applies | ALLOW+DENY | - | PutBucketTagging | existing | does not apply | ALLOW | existing | does not apply | ALLOW | - | PutBucketTagging | existing | does not apply | ALLOW | non-existing | | | - | PutBucketTagging | non-existing | | | existing | applies | ALLOW | - | PutBucketTagging | non-existing | | | existing | applies | DENY | - | PutBucketTagging | non-existing | | | existing | applies | ALLOW+DENY | - | PutBucketTagging | non-existing | | | existing | does not apply | ALLOW | - | PutBucketTagging | non-existing | | | non-existing | | | - | PutObjectTagging | existing | applies | ALLOW | existing | applies | ALLOW | - | PutObjectTagging | existing | applies | ALLOW | existing | applies | DENY | - | PutObjectTagging | existing | applies | ALLOW | existing | applies | ALLOW+DENY | - | PutObjectTagging | existing | applies | ALLOW | existing | does not apply | ALLOW | - | PutObjectTagging | existing | applies | ALLOW | non-existing | | | - | PutObjectTagging | existing | applies | DENY | existing | applies | ALLOW | - | PutObjectTagging | existing | applies | DENY | existing | applies | DENY | - | PutObjectTagging | existing | applies | DENY | existing | applies | ALLOW+DENY | - | PutObjectTagging | existing | applies | DENY | existing | does not apply | ALLOW | - | PutObjectTagging | existing | applies | DENY | non-existing | | | - | PutObjectTagging | existing | does not apply | ALLOW | existing | applies | ALLOW | - | PutObjectTagging | existing | does not apply | ALLOW | existing | applies | DENY | - | PutObjectTagging | existing | does not apply | ALLOW | existing | applies | ALLOW+DENY | - | PutObjectTagging | existing | does not apply | ALLOW | existing | does not apply | ALLOW | - | PutObjectTagging | existing | does not apply | ALLOW | non-existing | | | - | PutObjectTagging | non-existing | | | existing | applies | ALLOW | - | PutObjectTagging | non-existing | | | existing | applies | DENY | - | PutObjectTagging | non-existing | | | existing | applies | ALLOW+DENY | - | PutObjectTagging | non-existing | | | existing | does not apply | ALLOW | - | PutObjectTagging | non-existing | | | non-existing | | | - | UploadPart | existing | applies | ALLOW | existing | applies | ALLOW | - | UploadPart | existing | applies | ALLOW | existing | applies | DENY | - | UploadPart | existing | applies | ALLOW | existing | applies | ALLOW+DENY | - | UploadPart | existing | applies | ALLOW | existing | does not apply | ALLOW | - | UploadPart | existing | applies | ALLOW | non-existing | | | - | UploadPart | existing | applies | DENY | existing | applies | ALLOW | - | UploadPart | existing | applies | DENY | existing | applies | DENY | - | UploadPart | existing | applies | DENY | existing | applies | ALLOW+DENY | - | UploadPart | existing | applies | DENY | existing | does not apply | ALLOW | - | UploadPart | existing | applies | DENY | non-existing | | | - | UploadPart | existing | does not apply | ALLOW | existing | applies | ALLOW | - | UploadPart | existing | does not apply | ALLOW | existing | applies | DENY | - | UploadPart | existing | does not apply | ALLOW | existing | applies | ALLOW+DENY | - | UploadPart | existing | does not apply | ALLOW | existing | does not apply | ALLOW | - | UploadPart | existing | does not apply | ALLOW | non-existing | | | - | UploadPart | non-existing | | | existing | applies | ALLOW | - | UploadPart | non-existing | | | existing | applies | DENY | - | UploadPart | non-existing | | | existing | applies | ALLOW+DENY | - | UploadPart | non-existing | | | existing | does not apply | ALLOW | - | UploadPart | non-existing | | | non-existing | | | - | UploadPartCopy | existing | applies | ALLOW | existing | applies | ALLOW | - | UploadPartCopy | existing | applies | ALLOW | existing | applies | DENY | - | UploadPartCopy | existing | applies | ALLOW | existing | applies | ALLOW+DENY | - | UploadPartCopy | existing | applies | ALLOW | existing | does not apply | ALLOW | - | UploadPartCopy | existing | applies | ALLOW | non-existing | | | - | UploadPartCopy | existing | applies | DENY | existing | applies | ALLOW | - | UploadPartCopy | existing | applies | DENY | existing | applies | DENY | - | UploadPartCopy | existing | applies | DENY | existing | applies | ALLOW+DENY | - | UploadPartCopy | existing | applies | DENY | existing | does not apply | ALLOW | - | UploadPartCopy | existing | applies | DENY | non-existing | | | - | UploadPartCopy | existing | does not apply | ALLOW | existing | applies | ALLOW | - | UploadPartCopy | existing | does not apply | ALLOW | existing | applies | DENY | - | UploadPartCopy | existing | does not apply | ALLOW | existing | applies | ALLOW+DENY | - | UploadPartCopy | existing | does not apply | ALLOW | existing | does not apply | ALLOW | - | UploadPartCopy | existing | does not apply | ALLOW | non-existing | | | - | UploadPartCopy | non-existing | | | existing | applies | ALLOW | - | UploadPartCopy | non-existing | | | existing | applies | DENY | - | UploadPartCopy | non-existing | | | existing | applies | ALLOW+DENY | - | UploadPartCopy | non-existing | | | existing | does not apply | ALLOW | - | UploadPartCopy | non-existing | | | non-existing | | | - | DeleteObjectVersion | existing | applies | ALLOW | existing | applies | ALLOW | - | DeleteObjectVersion | existing | applies | ALLOW | existing | applies | DENY | - | DeleteObjectVersion | existing | applies | ALLOW | existing | applies | ALLOW+DENY | - | DeleteObjectVersion | existing | applies | ALLOW | existing | does not apply | ALLOW | - | DeleteObjectVersion | existing | applies | ALLOW | non-existing | | | - | DeleteObjectVersion | existing | applies | DENY | existing | applies | ALLOW | - | DeleteObjectVersion | existing | applies | DENY | existing | applies | DENY | - | DeleteObjectVersion | existing | applies | DENY | existing | applies | ALLOW+DENY | - | DeleteObjectVersion | existing | applies | DENY | existing | does not apply | ALLOW | - | DeleteObjectVersion | existing | applies | DENY | non-existing | | | - | DeleteObjectVersion | existing | does not apply | ALLOW | existing | applies | ALLOW | - | DeleteObjectVersion | existing | does not apply | ALLOW | existing | applies | DENY | - | DeleteObjectVersion | existing | does not apply | ALLOW | existing | applies | ALLOW+DENY | - | DeleteObjectVersion | existing | does not apply | ALLOW | existing | does not apply | ALLOW | - | DeleteObjectVersion | existing | does not apply | ALLOW | non-existing | | | - | DeleteObjectVersion | non-existing | | | existing | applies | ALLOW | - | DeleteObjectVersion | non-existing | | | existing | applies | DENY | - | DeleteObjectVersion | non-existing | | | existing | applies | ALLOW+DENY | - | DeleteObjectVersion | non-existing | | | existing | does not apply | ALLOW | - | DeleteObjectVersion | non-existing | | | non-existing | | | - | DeleteObjectVersionTagging | existing | applies | ALLOW | existing | applies | ALLOW | - | DeleteObjectVersionTagging | existing | applies | ALLOW | existing | applies | DENY | - | DeleteObjectVersionTagging | existing | applies | ALLOW | existing | applies | ALLOW+DENY | - | DeleteObjectVersionTagging | existing | applies | ALLOW | existing | does not apply | ALLOW | - | DeleteObjectVersionTagging | existing | applies | ALLOW | non-existing | | | - | DeleteObjectVersionTagging | existing | applies | DENY | existing | applies | ALLOW | - | DeleteObjectVersionTagging | existing | applies | DENY | existing | applies | DENY | - | DeleteObjectVersionTagging | existing | applies | DENY | existing | applies | ALLOW+DENY | - | DeleteObjectVersionTagging | existing | applies | DENY | existing | does not apply | ALLOW | - | DeleteObjectVersionTagging | existing | applies | DENY | non-existing | | | - | DeleteObjectVersionTagging | existing | does not apply | ALLOW | existing | applies | ALLOW | - | DeleteObjectVersionTagging | existing | does not apply | ALLOW | existing | applies | DENY | - | DeleteObjectVersionTagging | existing | does not apply | ALLOW | existing | applies | ALLOW+DENY | - | DeleteObjectVersionTagging | existing | does not apply | ALLOW | existing | does not apply | ALLOW | - | DeleteObjectVersionTagging | existing | does not apply | ALLOW | non-existing | | | - | DeleteObjectVersionTagging | non-existing | | | existing | applies | ALLOW | - | DeleteObjectVersionTagging | non-existing | | | existing | applies | DENY | - | DeleteObjectVersionTagging | non-existing | | | existing | applies | ALLOW+DENY | - | DeleteObjectVersionTagging | non-existing | | | existing | does not apply | ALLOW | - | DeleteObjectVersionTagging | non-existing | | | non-existing | | | - | GetObjectVersion | existing | applies | ALLOW | existing | applies | ALLOW | - | GetObjectVersion | existing | applies | ALLOW | existing | applies | DENY | - | GetObjectVersion | existing | applies | ALLOW | existing | applies | ALLOW+DENY | - | GetObjectVersion | existing | applies | ALLOW | existing | does not apply | ALLOW | - | GetObjectVersion | existing | applies | ALLOW | non-existing | | | - | GetObjectVersion | existing | applies | DENY | existing | applies | ALLOW | - | GetObjectVersion | existing | applies | DENY | existing | applies | DENY | - | GetObjectVersion | existing | applies | DENY | existing | applies | ALLOW+DENY | - | GetObjectVersion | existing | applies | DENY | existing | does not apply | ALLOW | - | GetObjectVersion | existing | applies | DENY | non-existing | | | - | GetObjectVersion | existing | does not apply | ALLOW | existing | applies | ALLOW | - | GetObjectVersion | existing | does not apply | ALLOW | existing | applies | DENY | - | GetObjectVersion | existing | does not apply | ALLOW | existing | applies | ALLOW+DENY | - | GetObjectVersion | existing | does not apply | ALLOW | existing | does not apply | ALLOW | - | GetObjectVersion | existing | does not apply | ALLOW | non-existing | | | - | GetObjectVersion | non-existing | | | existing | applies | ALLOW | - | GetObjectVersion | non-existing | | | existing | applies | DENY | - | GetObjectVersion | non-existing | | | existing | applies | ALLOW+DENY | - | GetObjectVersion | non-existing | | | existing | does not apply | ALLOW | - | GetObjectVersion | non-existing | | | non-existing | | | - | GetObjectVersionAcl | existing | applies | ALLOW | existing | applies | ALLOW | - | GetObjectVersionAcl | existing | applies | ALLOW | existing | applies | DENY | - | GetObjectVersionAcl | existing | applies | ALLOW | existing | applies | ALLOW+DENY | - | GetObjectVersionAcl | existing | applies | ALLOW | existing | does not apply | ALLOW | - | GetObjectVersionAcl | existing | applies | ALLOW | non-existing | | | - | GetObjectVersionAcl | existing | applies | DENY | existing | applies | ALLOW | - | GetObjectVersionAcl | existing | applies | DENY | existing | applies | DENY | - | GetObjectVersionAcl | existing | applies | DENY | existing | applies | ALLOW+DENY | - | GetObjectVersionAcl | existing | applies | DENY | existing | does not apply | ALLOW | - | GetObjectVersionAcl | existing | applies | DENY | non-existing | | | - | GetObjectVersionAcl | existing | does not apply | ALLOW | existing | applies | ALLOW | - | GetObjectVersionAcl | existing | does not apply | ALLOW | existing | applies | DENY | - | GetObjectVersionAcl | existing | does not apply | ALLOW | existing | applies | ALLOW+DENY | - | GetObjectVersionAcl | existing | does not apply | ALLOW | existing | does not apply | ALLOW | - | GetObjectVersionAcl | existing | does not apply | ALLOW | non-existing | | | - | GetObjectVersionAcl | non-existing | | | existing | applies | ALLOW | - | GetObjectVersionAcl | non-existing | | | existing | applies | DENY | - | GetObjectVersionAcl | non-existing | | | existing | applies | ALLOW+DENY | - | GetObjectVersionAcl | non-existing | | | existing | does not apply | ALLOW | - | GetObjectVersionAcl | non-existing | | | non-existing | | | - | GetObjectVersionTagging | existing | applies | ALLOW | existing | applies | ALLOW | - | GetObjectVersionTagging | existing | applies | ALLOW | existing | applies | DENY | - | GetObjectVersionTagging | existing | applies | ALLOW | existing | applies | ALLOW+DENY | - | GetObjectVersionTagging | existing | applies | ALLOW | existing | does not apply | ALLOW | - | GetObjectVersionTagging | existing | applies | ALLOW | non-existing | | | - | GetObjectVersionTagging | existing | applies | DENY | existing | applies | ALLOW | - | GetObjectVersionTagging | existing | applies | DENY | existing | applies | DENY | - | GetObjectVersionTagging | existing | applies | DENY | existing | applies | ALLOW+DENY | - | GetObjectVersionTagging | existing | applies | DENY | existing | does not apply | ALLOW | - | GetObjectVersionTagging | existing | applies | DENY | non-existing | | | - | GetObjectVersionTagging | existing | does not apply | ALLOW | existing | applies | ALLOW | - | GetObjectVersionTagging | existing | does not apply | ALLOW | existing | applies | DENY | - | GetObjectVersionTagging | existing | does not apply | ALLOW | existing | applies | ALLOW+DENY | - | GetObjectVersionTagging | existing | does not apply | ALLOW | existing | does not apply | ALLOW | - | GetObjectVersionTagging | existing | does not apply | ALLOW | non-existing | | | - | GetObjectVersionTagging | non-existing | | | existing | applies | ALLOW | - | GetObjectVersionTagging | non-existing | | | existing | applies | DENY | - | GetObjectVersionTagging | non-existing | | | existing | applies | ALLOW+DENY | - | GetObjectVersionTagging | non-existing | | | existing | does not apply | ALLOW | - | GetObjectVersionTagging | non-existing | | | non-existing | | | - | PutObjectVersionAcl | existing | applies | ALLOW | existing | applies | ALLOW | - | PutObjectVersionAcl | existing | applies | ALLOW | existing | applies | DENY | - | PutObjectVersionAcl | existing | applies | ALLOW | existing | applies | ALLOW+DENY | - | PutObjectVersionAcl | existing | applies | ALLOW | existing | does not apply | ALLOW | - | PutObjectVersionAcl | existing | applies | ALLOW | non-existing | | | - | PutObjectVersionAcl | existing | applies | DENY | existing | applies | ALLOW | - | PutObjectVersionAcl | existing | applies | DENY | existing | applies | DENY | - | PutObjectVersionAcl | existing | applies | DENY | existing | applies | ALLOW+DENY | - | PutObjectVersionAcl | existing | applies | DENY | existing | does not apply | ALLOW | - | PutObjectVersionAcl | existing | applies | DENY | non-existing | | | - | PutObjectVersionAcl | existing | does not apply | ALLOW | existing | applies | ALLOW | - | PutObjectVersionAcl | existing | does not apply | ALLOW | existing | applies | DENY | - | PutObjectVersionAcl | existing | does not apply | ALLOW | existing | applies | ALLOW+DENY | - | PutObjectVersionAcl | existing | does not apply | ALLOW | existing | does not apply | ALLOW | - | PutObjectVersionAcl | existing | does not apply | ALLOW | non-existing | | | - | PutObjectVersionAcl | non-existing | | | existing | applies | ALLOW | - | PutObjectVersionAcl | non-existing | | | existing | applies | DENY | - | PutObjectVersionAcl | non-existing | | | existing | applies | ALLOW+DENY | - | PutObjectVersionAcl | non-existing | | | existing | does not apply | ALLOW | - | PutObjectVersionAcl | non-existing | | | non-existing | | | - | PutObjectVersionTagging | existing | applies | ALLOW | existing | applies | ALLOW | - | PutObjectVersionTagging | existing | applies | ALLOW | existing | applies | DENY | - | PutObjectVersionTagging | existing | applies | ALLOW | existing | applies | ALLOW+DENY | - | PutObjectVersionTagging | existing | applies | ALLOW | existing | does not apply | ALLOW | - | PutObjectVersionTagging | existing | applies | ALLOW | non-existing | | | - | PutObjectVersionTagging | existing | applies | DENY | existing | applies | ALLOW | - | PutObjectVersionTagging | existing | applies | DENY | existing | applies | DENY | - | PutObjectVersionTagging | existing | applies | DENY | existing | applies | ALLOW+DENY | - | PutObjectVersionTagging | existing | applies | DENY | existing | does not apply | ALLOW | - | PutObjectVersionTagging | existing | applies | DENY | non-existing | | | - | PutObjectVersionTagging | existing | does not apply | ALLOW | existing | applies | ALLOW | - | PutObjectVersionTagging | existing | does not apply | ALLOW | existing | applies | DENY | - | PutObjectVersionTagging | existing | does not apply | ALLOW | existing | applies | ALLOW+DENY | - | PutObjectVersionTagging | existing | does not apply | ALLOW | existing | does not apply | ALLOW | - | PutObjectVersionTagging | existing | does not apply | ALLOW | non-existing | | | - | PutObjectVersionTagging | non-existing | | | existing | applies | ALLOW | - | PutObjectVersionTagging | non-existing | | | existing | applies | DENY | - | PutObjectVersionTagging | non-existing | | | existing | applies | ALLOW+DENY | - | PutObjectVersionTagging | non-existing | | | existing | does not apply | ALLOW | - | PutObjectVersionTagging | non-existing | | | non-existing | | | - | PutObjectVersionRetention | existing | applies | ALLOW | existing | applies | ALLOW | - | PutObjectVersionRetention | existing | applies | ALLOW | existing | applies | DENY | - | PutObjectVersionRetention | existing | applies | ALLOW | existing | applies | ALLOW+DENY | - | PutObjectVersionRetention | existing | applies | ALLOW | existing | does not apply | ALLOW | - | PutObjectVersionRetention | existing | applies | ALLOW | non-existing | | | - | PutObjectVersionRetention | existing | applies | DENY | existing | applies | ALLOW | - | PutObjectVersionRetention | existing | applies | DENY | existing | applies | DENY | - | PutObjectVersionRetention | existing | applies | DENY | existing | applies | ALLOW+DENY | - | PutObjectVersionRetention | existing | applies | DENY | existing | does not apply | ALLOW | - | PutObjectVersionRetention | existing | applies | DENY | non-existing | | | - | PutObjectVersionRetention | existing | does not apply | ALLOW | existing | applies | ALLOW | - | PutObjectVersionRetention | existing | does not apply | ALLOW | existing | applies | DENY | - | PutObjectVersionRetention | existing | does not apply | ALLOW | existing | applies | ALLOW+DENY | - | PutObjectVersionRetention | existing | does not apply | ALLOW | existing | does not apply | ALLOW | - | PutObjectVersionRetention | existing | does not apply | ALLOW | non-existing | | | - | PutObjectVersionRetention | non-existing | | | existing | applies | ALLOW | - | PutObjectVersionRetention | non-existing | | | existing | applies | DENY | - | PutObjectVersionRetention | non-existing | | | existing | applies | ALLOW+DENY | - | PutObjectVersionRetention | non-existing | | | existing | does not apply | ALLOW | - | PutObjectVersionRetention | non-existing | | | non-existing | | | - | PutObjectVersionLegalHold | existing | applies | ALLOW | existing | applies | ALLOW | - | PutObjectVersionLegalHold | existing | applies | ALLOW | existing | applies | DENY | - | PutObjectVersionLegalHold | existing | applies | ALLOW | existing | applies | ALLOW+DENY | - | PutObjectVersionLegalHold | existing | applies | ALLOW | existing | does not apply | ALLOW | - | PutObjectVersionLegalHold | existing | applies | ALLOW | non-existing | | | - | PutObjectVersionLegalHold | existing | applies | DENY | existing | applies | ALLOW | - | PutObjectVersionLegalHold | existing | applies | DENY | existing | applies | DENY | - | PutObjectVersionLegalHold | existing | applies | DENY | existing | applies | ALLOW+DENY | - | PutObjectVersionLegalHold | existing | applies | DENY | existing | does not apply | ALLOW | - | PutObjectVersionLegalHold | existing | applies | DENY | non-existing | | | - | PutObjectVersionLegalHold | existing | does not apply | ALLOW | existing | applies | ALLOW | - | PutObjectVersionLegalHold | existing | does not apply | ALLOW | existing | applies | DENY | - | PutObjectVersionLegalHold | existing | does not apply | ALLOW | existing | applies | ALLOW+DENY | - | PutObjectVersionLegalHold | existing | does not apply | ALLOW | existing | does not apply | ALLOW | - | PutObjectVersionLegalHold | existing | does not apply | ALLOW | non-existing | | | - | PutObjectVersionLegalHold | non-existing | | | existing | applies | ALLOW | - | PutObjectVersionLegalHold | non-existing | | | existing | applies | DENY | - | PutObjectVersionLegalHold | non-existing | | | existing | applies | ALLOW+DENY | - | PutObjectVersionLegalHold | non-existing | | | existing | does not apply | ALLOW | - | PutObjectVersionLegalHold | non-existing | | | non-existing | | | - | MetadataSearch | existing | applies | ALLOW | existing | applies | ALLOW | - | MetadataSearch | existing | applies | ALLOW | existing | applies | DENY | - | MetadataSearch | existing | applies | ALLOW | existing | applies | ALLOW+DENY | - | MetadataSearch | existing | applies | ALLOW | existing | does not apply | ALLOW | - | MetadataSearch | existing | applies | ALLOW | non-existing | | | - | MetadataSearch | existing | applies | DENY | existing | applies | ALLOW | - | MetadataSearch | existing | applies | DENY | existing | applies | DENY | - | MetadataSearch | existing | applies | DENY | existing | applies | ALLOW+DENY | - | MetadataSearch | existing | applies | DENY | existing | does not apply | ALLOW | - | MetadataSearch | existing | applies | DENY | non-existing | | | - | MetadataSearch | existing | does not apply | ALLOW | existing | applies | ALLOW | - | MetadataSearch | existing | does not apply | ALLOW | existing | applies | DENY | - | MetadataSearch | existing | does not apply | ALLOW | existing | applies | ALLOW+DENY | - | MetadataSearch | existing | does not apply | ALLOW | existing | does not apply | ALLOW | - | MetadataSearch | existing | does not apply | ALLOW | non-existing | | | - | MetadataSearch | non-existing | | | existing | applies | ALLOW | - | MetadataSearch | non-existing | | | existing | applies | DENY | - | MetadataSearch | non-existing | | | existing | applies | ALLOW+DENY | - | MetadataSearch | non-existing | | | existing | does not apply | ALLOW | - | MetadataSearch | non-existing | | | non-existing | | | diff --git a/tests/ctst/features/resource-policies/UseCases.feature b/tests/ctst/features/resource-policies/UseCases.feature deleted file mode 100644 index 679512eea1..0000000000 --- a/tests/ctst/features/resource-policies/UseCases.feature +++ /dev/null @@ -1,81 +0,0 @@ -Feature: S3 Bucket Policies Authorization flow use cases - Bucket policies feature should ensure the customer use cases are - supported. - - @2.6.0 - @PreMerge - @BucketPolicies - Scenario Outline: Use case : bucket policy, all access, - Given an action "" - And an existing bucket prepared for the action - And a IAM_USER type - And an environment setup for the API - And an "non-existing" IAM Policy that "" with "" effect for the current API - And a policy granting full access to the objects and read access to the bucket - When the user tries to perform the current S3 action on the bucket - Then the authorization result is correct - Examples: - | action | - | AbortMultipartUpload | - | CompleteMultipartUpload | - | CopyObject | - | CreateMultipartUpload | - | DeleteBucket | - | DeleteBucketCors | - | DeleteBucketEncryption | - | DeleteBucketLifecycle | - | DeleteBucketPolicy | - | DeleteBucketReplication | - | DeleteBucketWebsite | - | DeleteObject | - | DeleteBucketTagging | - | DeleteObjectTagging | - | DeleteObjects | - | GetBucketAcl | - | GetBucketCors | - | GetBucketEncryption | - | GetBucketLifecycleConfiguration | - | GetBucketNotificationConfiguration | - | GetBucketPolicy | - | GetBucketReplication | - | GetBucketVersioning | - | GetObject | - | GetObjectAcl | - | GetObjectLegalHold | - | GetObjectLockConfiguration | - | GetObjectRetention | - | GetBucketTagging | - | GetObjectTagging | - | HeadBucket | - | HeadObject | - | ListMultipartUploads | - | ListObjectVersions | - | ListObjects | - | ListObjectsV2 | - | PutBucketAcl | - | PutBucketCors | - | PutBucketEncryption | - | PutBucketLifecycleConfiguration | - | PutBucketNotificationConfiguration | - | PutBucketPolicy | - | PutBucketReplication | - | PutBucketVersioning | - | PutObject | - | PutObjectAcl | - | PutObjectLegalHold | - | PutObjectLockConfiguration | - | PutObjectRetention | - | PutBucketTagging | - | PutObjectTagging | - | UploadPart | - | UploadPartCopy | - | DeleteObjectVersion | - | DeleteObjectVersionTagging | - | GetObjectVersion | - | GetObjectVersionAcl | - | GetObjectVersionTagging | - | PutObjectVersionAcl | - | PutObjectVersionTagging | - | PutObjectVersionRetention | - | PutObjectVersionLegalHold | - | MetadataSearch | diff --git a/tests/ctst/features/resource-policies/WebIdentity.feature b/tests/ctst/features/resource-policies/WebIdentity.feature deleted file mode 100644 index be2f1fd2d1..0000000000 --- a/tests/ctst/features/resource-policies/WebIdentity.feature +++ /dev/null @@ -1,18 +0,0 @@ -Feature: S3 Bucket Policies Authorization flow for Web Identities - Bucket policies feature should allow the default web identities to - perform more actions, or be denied on actions they are not allowed to - perform by default. - - @2.6.0 - @PreMerge - @BucketPolicies - @BP-DATA_CONSUMER - Scenario Outline: GetObject permission should be denied by the bucket policy for a web identity - Given an action "GetObject" - And an existing bucket prepared for the action - And a DATA_CONSUMER type - And an environment setup for the API - And an "non-existing" IAM Policy that "" with "" effect for the current API - And an "existing" S3 Bucket Policy that "applies" with "DENY" effect for the current API - When the user tries to perform the current S3 action on the bucket - Then the authorization result is correct diff --git a/tests/ctst/features/resource-policies/regen.js b/tests/ctst/features/resource-policies/regen.js deleted file mode 100644 index 0fe424cdfa..0000000000 --- a/tests/ctst/features/resource-policies/regen.js +++ /dev/null @@ -1,184 +0,0 @@ -/** - * BDD testing require that each scenario is explicitly written in the feature file. - * However, testing authz scenarios for each API is too extensive, so this code - * helps maintaining this test suite. - * When editing the feature files, make sure to re-run this script to ensure that - * all the tests scenarios are consistent. You can add a new S3 API to test under - * APIs, and a scenario combination under allCombinations. - * When applying the script, make sure to have the changes in a separate commit. - * Usage: node regen.js - */ -import fs from 'fs'; - -const targetFiles = [ - './AssumeRole.feature', - './CrossAccountAssumeRole.feature', - './IAMUser.feature', -]; - -const APIs = [ - 'AbortMultipartUpload', - 'CompleteMultipartUpload', - 'CopyObject', - // 'CreateBucket', - 'CreateMultipartUpload', - 'DeleteBucket', - 'DeleteBucketCors', - 'DeleteBucketEncryption', - 'DeleteBucketLifecycle', - 'DeleteBucketPolicy', - 'DeleteBucketReplication', - 'DeleteBucketWebsite', - 'DeleteObject', - 'DeleteBucketTagging', - 'DeleteObjectTagging', - 'DeleteObjects', - 'GetBucketAcl', - 'GetBucketCors', - 'GetBucketEncryption', - 'GetBucketLifecycleConfiguration', - 'GetBucketNotificationConfiguration', - 'GetBucketPolicy', - 'GetBucketReplication', - 'GetBucketVersioning', - 'GetObject', - 'GetObjectAcl', - 'GetObjectLegalHold', - 'GetObjectLockConfiguration', - 'GetObjectRetention', - 'GetBucketTagging', - 'GetObjectTagging', - 'HeadBucket', - 'HeadObject', - 'ListMultipartUploads', - 'ListObjectVersions', - 'ListObjects', - 'ListObjectsV2', - 'PutBucketAcl', - 'PutBucketCors', - 'PutBucketEncryption', - 'PutBucketLifecycleConfiguration', - 'PutBucketNotificationConfiguration', - 'PutBucketPolicy', - 'PutBucketReplication', - 'PutBucketVersioning', - 'PutObject', - 'PutObjectAcl', - 'PutObjectLegalHold', - 'PutObjectLockConfiguration', - 'PutObjectRetention', - 'PutBucketTagging', - 'PutObjectTagging', - 'UploadPart', - 'UploadPartCopy', - // Version-related - 'DeleteObjectVersion', - 'DeleteObjectVersionTagging', - 'GetObjectVersion', - 'GetObjectVersionAcl', - 'GetObjectVersionTagging', - 'PutObjectVersionAcl', - 'PutObjectVersionTagging', - 'PutObjectVersionRetention', - 'PutObjectVersionLegalHold', - // Scality-specific - 'MetadataSearch', -]; - -const scenarios = []; - -// In order, sets the current configuration for: -// bucketPolicyExists, bucketPolicyApplies, bucketPolicyEffect, -// iamPolicyExists, iamPolicyApplies, iamPolicyEffect -const allCombinations = [ - ['existing', 'applies', 'ALLOW', 'existing', 'applies', 'ALLOW'], - ['existing', 'applies', 'ALLOW', 'existing', 'applies', 'DENY'], - ['existing', 'applies', 'ALLOW', 'existing', 'applies', 'ALLOW+DENY'], - ['existing', 'applies', 'ALLOW', 'existing', 'does not apply', 'ALLOW'], - ['existing', 'applies', 'ALLOW', 'non-existing', '', ''], - ['existing', 'applies', 'DENY', 'existing', 'applies', 'ALLOW'], - ['existing', 'applies', 'DENY', 'existing', 'applies', 'DENY'], - ['existing', 'applies', 'DENY', 'existing', 'applies', 'ALLOW+DENY'], - ['existing', 'applies', 'DENY', 'existing', 'does not apply', 'ALLOW'], - ['existing', 'applies', 'DENY', 'non-existing', '', ''], - ['existing', 'does not apply', 'ALLOW', 'existing', 'applies', 'ALLOW'], - ['existing', 'does not apply', 'ALLOW', 'existing', 'applies', 'DENY'], - ['existing', 'does not apply', 'ALLOW', 'existing', 'applies', 'ALLOW+DENY'], - ['existing', 'does not apply', 'ALLOW', 'existing', 'does not apply', 'ALLOW'], - ['existing', 'does not apply', 'ALLOW', 'non-existing', '', ''], - ['non-existing', '', '', 'existing', 'applies', 'ALLOW'], - ['non-existing', '', '', 'existing', 'applies', 'DENY'], - ['non-existing', '', '', 'existing', 'applies', 'ALLOW+DENY'], - ['non-existing', '', '', 'existing', 'does not apply', 'ALLOW'], - ['non-existing', '', '', 'non-existing', '', ''], -]; - -const longest = { - action: 'action'.length, - bucketPolicyExists: 'bucketPolicyExists'.length, - bucketPolicyApplies: 'bucketPolicyApplies'.length, - bucketPolicyEffect: 'bucketPolicyEffect'.length, - iamPolicyExists: 'iamPolicyExists'.length, - iamPolicyApplies: 'iamPolicyApplies'.length, - iamPolicyEffect: 'iamPolicyEffect'.length, -}; - -for (const api of APIs) { - for (const combination of allCombinations) { - const scenario = { - action: api, - bucketPolicyExists: combination[0], - bucketPolicyApplies: combination[1], - bucketPolicyEffect: combination[2], - iamPolicyExists: combination[3], - iamPolicyApplies: combination[4], - iamPolicyEffect: combination[5], - }; - scenarios.push(scenario); - for (const key in scenario) { - if (scenario[key].length > longest[key] || !longest[key]) { - longest[key] = scenario[key].length; - } - } - } -} - -const output = scenarios.map(scenario => { - const paddedAction = scenario.action.padEnd(longest.action); - const paddedIamPolicyExists = scenario.iamPolicyExists.padEnd(longest.iamPolicyExists); - const paddedIamPolicyApplies = scenario.iamPolicyApplies.padEnd(longest.iamPolicyApplies); - const paddedIamPolicyEffect = scenario.iamPolicyEffect.padEnd(longest.iamPolicyEffect); - const paddedBucketPolicyExists = scenario.bucketPolicyExists.padEnd(longest.bucketPolicyExists); - const paddedBucketPolicyApplies = scenario.bucketPolicyApplies.padEnd(longest.bucketPolicyApplies); - const paddedBucketPolicyEffect = scenario.bucketPolicyEffect.padEnd(longest.bucketPolicyEffect); - - return ( - ' ', - paddedAction, - paddedBucketPolicyExists, - paddedBucketPolicyApplies, - paddedBucketPolicyEffect, - paddedIamPolicyExists, - paddedIamPolicyApplies, - paddedIamPolicyEffect).join(' | '); -}).join('\n'); - -targetFiles.forEach(file => { - const filePath = `${__dirname}/${file}`; - const fileContent = fs.readFileSync(filePath, 'utf-8'); - const startIndex = fileContent.indexOf('Everything below is generated'); - const startIndexNextLine = fileContent.indexOf('\n', startIndex); - const endIndex = fileContent.length; - - if (startIndex !== -1 && endIndex !== -1) { - const newContent = - `${fileContent.substring(0, startIndexNextLine) }\n${ output }\n${ fileContent.substring(endIndex)}`; - fs.writeFileSync(filePath, newContent, 'utf-8'); - // eslint-disable-next-line no-console - console.log(`Content in ${file} replaced.`); - } else { - // eslint-disable-next-line no-console - console.error( - `Couldn't find the specified markers in ${file}. Make sure the file contains the markers as specified.`); - } -}); diff --git a/tests/ctst/features/sosapi.feature b/tests/ctst/features/sosapi.feature deleted file mode 100644 index 54569e7961..0000000000 --- a/tests/ctst/features/sosapi.feature +++ /dev/null @@ -1,34 +0,0 @@ -Feature: Veeam SOSAPI - In order to use SOSAPI - As an Artesca User - I want to access the Veeam SOSAPI custom routes when SOSAPI is enabled in the CR - - @2.6.0 - @PreMerge - @SOSAPI - Scenario Outline: PUT routes for SOSAPI configuration files - Given a "" bucket - When I PUT the "" "" XML file - Then the request should be "" - - Examples: - | versioningConfiguration | isValid | sosapiFile | requestAccepted | - | Non versioned | valid | capacity.xml | accepted | - | Non versioned | invalid | capacity.xml | not accepted | - | Non versioned | valid | system.xml | accepted | - | Non versioned | invalid | system.xml | not accepted | - - @2.6.0 - @PreMerge - @SOSAPI - Scenario Outline: PUT routes for SOSAPI configuration files - Given a "" bucket with dot - When I PUT the "" "" XML file - Then the request should be "" - - Examples: - | versioningConfiguration | isValid | sosapiFile | requestAccepted | - | Non versioned | valid | capacity.xml | accepted | - | Non versioned | invalid | capacity.xml | not accepted | - | Non versioned | valid | system.xml | accepted | - | Non versioned | invalid | system.xml | not accepted | diff --git a/tests/ctst/features/zzz.kafkaCleaner.feature b/tests/ctst/features/zzz.kafkaCleaner.feature deleted file mode 100644 index aa771cbce6..0000000000 --- a/tests/ctst/features/zzz.kafkaCleaner.feature +++ /dev/null @@ -1,10 +0,0 @@ -# This file name starts with zzz to ensure it runs last because cucumber runs tests in alphabetical order by default -Feature: Kafka Cleaner - - @2.6.0 - @PreMerge - @AfterAll - @ColdStorage - @Flaky - Scenario Outline: Verify that consumed messages gets deleted by kafkacleaner - Then kafka consumed messages should not take too much place on disk \ No newline at end of file