S3 group policy examples

Group policies specify the access permissions for the group that the policy is attached to. There is no Principal element in the policy since it is implicit. Group policies are configured using the Tenant Manager or the API.

Example: Setting the group policy using the Tenant Manager

When using the Tenant Manager to add or edit a group, you can use the S3 Policy dialog box to create and update group policies using valid JSON strings:
screenshot showing sample JSON policy

Example: Allow group full access to all buckets

In this example, all members of the group are permitted full access to all buckets owned by the tenant account unless explicitly denied by bucket policy.
{
  "Statement": [
    {
      "Action": "s3:*",
      "Effect": "Allow",
      "Resource": "urn:sgws:s3:::*"
    }
  ]
}

Example: Allow group read-only access to all buckets

In this example, all members of the group are permitted read-only access to all buckets unless explicitly denied by bucket policy. Access to buckets owned by this account would be allowed unless explicitly denied by the target bucket policy.
{
  "Statement": [
    {
      "Sid": "AllowGroupReadOnlyAccess",
      "Effect": "Allow",
      "Action": [ "s3:ListAllMyBuckets", "s3:ListBucket", "s3:GetObject" ],
      "Resource": "urn:sgws:s3:::*"
    }
  ]
}

Example: Allow group members full access to only their “folder” in a bucket

In this example, members of the group are only permitted to list and access their specific folder (key prefix) in the specified bucket. Note that access permissions from other group policies and the bucket policy should be considered when determining the privacy of these folders.
Note: The ‘Condition’ keyword and sgws:username variable are only supported in the Tenant Manager.
{
  "Statement": [
    {
      "Sid": "AllowListBucketOfASpecificUserPrefix",
      "Effect": "Allow",
      "Action": "s3:ListBucket",
      "Resource": "urn:sgws:s3:::department-bucket",
      "Condition": {
        "StringLike": {
          "s3:prefix": "${sgws:username}/*"
        }
      }
    },
    {
      "Sid": "AllowUserSpecificActionsOnlyInTheSpecificUserPrefix",
      "Effect": "Allow",
      "Action": "s3:*Object",
      "Resource": "urn:sgws:s3:::department-bucket/${sgws:username}/*"
    }
  ]
}

Example: PutOverwriteObject permission

In this example, the Deny Effect for PutOverwriteObject and DeleteObject protects the object’s data, user-defined metadata, and S3 object tagging from being deleted or modified.

{
  "Statement": [
    {
      "Effect": "Deny",
      "Principal": "*",
      "Action": [
        "s3:PutOverwriteObject",
        "s3:DeleteObject",
        "s3:DeleteObjectVersion"
      ],
      "Resource": "urn:sgws:s3:::wormbucket/*"
    },
    {
      "Effect": "Allow",
      "Principal": {
        "SGWS": "urn:sgws:identity::95390887230002558202:federated-group/SomeGroup"
      
},
      "Action": "s3:ListBucket",
      "Resource": "urn:sgws:s3:::wormbucket"
    },
    {
      "Effect": "Allow",
      "Principal": {
        "SGWS": "urn:sgws:identity::95390887230002558202:federated-group/SomeGroup"
      
},
      "Action": "s3:*",
      "Resource": "urn:sgws:s3:::wormbucket/*"
    }
  ]
}