I keep seeing this in bucket policy examples and I don't know what it is:
"Condition": {
"StringEquals": {
"s3:x-amz-acl": "bucket-owner-full-control"
}
Does this mean the user has to add a header "s3:x-amz-acl" that has value "bucket-owner-full-control"? Is this enforcing an actual ACL or is this arbitrary? Can it be any header and string or is there significance to s3:x-amz-acl and bucket-owner-full-control?
This policy snippet requires that the request contain the specification of a canned ACL, using the header x-amz-acl (case-insensitive), with the value bucket-owner-full-control.
A constraint on this condition normally is used to ensure that the owner of the object (which is always the uploading user, not necessarily the owner of the bucket) can't create an object that the bucket owner is unable to read ("full control" is an unfortunate misnomer, because the bucket owner can already delete foreign objects, and despite this cannot further delegate permissions on the object).
But it isn't arbitrary.
Specifically: s3:x-amz-acl is an S3-specific IAM policy condition key that happens to be named exactly the same as the header that it matches.
It is not an arbitrary header match, even though such a capability might be handy at times. Most other HTTP headers are not subject to policy conditions, and you can't use, e.g. an s3:x-random-http-header condition.
There are global condition keys like aws:SecureTransport that can be used to deny a request that isn't using HTTPS, and aws:UserAgent that evaluates against the HTTP User-Agent header, but note the documented caveat that this "should not be used to prevent unauthorized parties from making direct AWS requests" because it is easily forged by the user agent. Otherwise there are not a lot of options for allowing/denying requests related to headers.
Unlike the condition key, the value string bucket-owner-full-control is not actually validated within the policy, since it's just a string, but if you don't specify a valid value, it will simply never match.