Guide

Define access and permissions using bucket policies

Suggest Edits

Bucket policies are a mechanism for managing permissions and access to Object Storage. When compared to ACLs, bucket policies can only be applied across an entire bucket (not to individual objects), though they offer finer control over the types of permissions you can grant to a user.

Apply a bucket policy with s3cmd

  1. Create a policy file and save it to your local machine as policy.json. You can use one of the examples on this page as a starter file and customize it according to your needs.

    {
 "Version": "2012-10-17",
 "Statement": [
   {
     "Effect": "Deny",
     "Principal": "*",
     "Action": "s3:*",
     "Resource": "arn:aws:s3:::YOUR_BUCKET_NAME/*",
     "Condition": {
       "NotIpAddress": {
         "aws:SourceIp": "192.0.2.1/32"
       }
     }
   }
 ]
}

    The example file above defines a policy that rejects all S3 API requests unless they originate from the specified IP address. Replace YOUR_BUCKET_NAME with the label of your bucket and update the IP address CIDR appropriately according to your needs. If you want to restrict the bucket to a single IP address, use /32. See Allow or deny access from a specific IP address.

  2. Upload this policy to your bucket. Again, replace YOUR_BUCKET_NAME with the label of your bucket. Before performing this action, you may wish to check for an existing policy first using the s3cmd info command detailed in the next step. If there is an existing policy that you want to retain, download that existing policy first (using s3cmd info) and merge it into policy.json file before uploading your new policy.

    s3cmd setpolicy policy.json s3://YOUR_BUCKET_NAME

  3. Validate that the policy is in place.

    s3cmd info s3://YOUR_BUCKET_NAME

See S3cmd > Apply a Bucket Policy for more details on the s3cmd setpolicy and s3cmd info commands.

Components of a policy

Bucket policies are formatted using JSON with the following structure:

{
 "Version": "2012-10-17",
 "Statement": [{
   "Effect": ...,
   "Principal": ...,
   "Action": ...,
   "Resource": ...
 }]
}

This file consists of a Version string (set to 2012-10-17, which is the current version) and one or more Statement arrays, which define the actual policies you wish to use. Within each statement array are the Effect, Principal, Action, Resource, and optional Condition elements. Each of these are discussed below.

Effect

The Effect section defines if access is allowed (Allow) or denied (Deny) to the specified resource. See IAM JSON policy elements: Effect.

"Effect":"Allow"

Principal

The Principal section defines the user or entity to which the policy applies. See Amazon S3 principals.

  • Specific user: Specify an Object Storage canonical ID to have the policy apply to that user. For help finding the canonical ID, see Find canonical user ID.

    "Principal": {
  "AWS": [
    "arn:aws:iam:::user/a0000000-000a-0000-0000-00d0ff0f0000"
  ]
}

  • Public/anonymous access: Use a wildcard to grant access to everyone. This is commonly used for hosting a website through Object Storage.

    "Principal":"*"

Action

Action are the permissions granted (or removed) by the policy. These actions include the ability to list buckets, view objects, upload objects, and more:

  • s3:PutObject: Upload objects
  • s3:GetObject: Retrieve objects
  • s3:ListBucket: List the contents of a bucket

For a full list of actions, see Ceph > Bucket Policies. You can also reference the Amazon S3 actions guide.

Resource

A policy is applied to Object Storage resources, such as buckets and objects. Bucket resources are formatted as "arn:aws:s3:::[bucket]". To apply a policy to some or all objects within a bucket, use "arn:aws:s3:::[bucket]/[object]". In both cases, replace [bucket] with the label for the bucket and [object] with either the wildcard value (*) that designates all objects or the path and name of the object. See Amazon S3 resources.

  • All objects: Apply the policy to all objects within the bucket labeled example-bucket.

    "Resource": [
  "arn:aws:s3:::example-bucket/*"
]

  • All objects in specific directory: Apply the policy to all objects in the assets folder within the bucket labeled example-bucket.

    "Resource": [
  "arn:aws:s3:::example-bucket/folder/*"
]

  • Specific object: Apply the policy to the object example-file.ext within the bucket labeled example-bucket.

    "Resource": [
  "arn:aws:s3:::example-bucket/example-file.ext"
]

❗️

While a resource can target the bucket itself (by removing the /* in the first example), this can cause the bucket to become inaccessible to Cloud Manager, API, and CLI.

Bucket policy examples

Allow public read access

If you wish to allow anyone to view and download objects within a bucket, use the following policy:

{
 "Version": "2012-10-17",
 "Statement": [{
   "Effect": "Allow",
   "Principal": "*",
   "Action": [
     "s3:GetObject",
     "s3:ListBucket"
   ],
   "Resource": [
     "arn:aws:s3:::bucket-example",
     "arn:aws:s3:::bucket-example/*"
   ]
 }]
}

Grant an account limited access to a directory

This policy file allows a user to list the bucket called example-bucket and view/download objects within the test directory. They are not able to perform any other actions.

{
 "Version": "2012-10-17",
 "Statement": [
   {
     "Effect": "Allow",
     "Principal": {
       "AWS": "arn:aws:iam:::user/a0000000-000a-0000-0000-00d0ff0f0000"
     },
     "Action": [
       "s3:ListBucket"
     ],
     "Resource": [
       "arn:aws:s3:::example-bucket"
     ]
   },
   {
     "Effect": "Allow",
     "Principal": {
       "AWS": "arn:aws:iam:::user/a0000000-000a-0000-0000-00d0ff0f0000"
     },
     "Action": [
       "s3:GetObject"
     ],
     "Resource": [
       "arn:aws:s3:::example-bucket/test/*"
     ]
   }
 ]
}

Grant full public access

This policy allows all users to list all objects in the bucket and to fetch them. Use this policy with caution as it will make your bucket fully public.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "PublicReadGetObject",
            "Effect": "Allow",
            "Principal": "*",
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::your-bucket-name/*"
        },
        {
            "Sid": "PublicListBucket",
            "Effect": "Allow",
            "Principal": "*",
            "Action": "s3:ListBucket",
            "Resource": "arn:aws:s3:::your-bucket-name"
        }
    ]
}

Allow or deny access from a specific IP address

By using the Condition section and the IpAddress and NotIpAddress conditions, you can choose to allow or deny traffic from the specified IP address or range.

The example below rejects all S3 API requests, including those signed with a valid access key, unless they come from a specific IP address:

{
 "Version": "2012-10-17",
 "Statement": [
   {
     "Effect": "Deny",
     "Principal": "*",
     "Action": "s3:*",
     "Resource": "arn:aws:s3:::example-bucket/*",
     "Condition": {
       "NotIpAddress": {
         "aws:SourceIp": "192.0.2.1/32"
       }
     }
   }
 ]
}

Updated 18 days ago