S3 bucket policy examples

Bucket policies specify the access permissions for the bucket that the policy is attached to. Bucket policies are configured using the S3 PutBucketPolicy API.

A bucket policy can be configured using the AWS CLI as per the following command:

> aws s3api put-bucket-policy --bucket examplebucket --policy file://policy.json

Example: Allow everyone read-only access to a bucket

In this example, everyone, including anonymous, is allowed to list objects in the bucket and perform Get Object operations on all objects in the bucket. All other operations will be denied. Note that this policy might not be particularly useful since no one except the account root has permissions to write to the bucket.
{ 
  "Statement": [
    {
      "Sid": "AllowEveryoneReadOnlyAccess",
      "Effect": "Allow",
      "Principal": "*",
      "Action": [ "s3:GetObject", "s3:ListBucket" ],
      "Resource": ["urn:sgws:s3:::examplebucket","urn:sgws:s3:::examplebucket/*"]
    }
  ]
}

Example: Allow everyone in one account full access, and everyone in another account read-only access to a bucket

In this example, everyone in one specified account is allowed full access to a bucket, while everyone in another specified account is only permitted to List the bucket and perform GetObject operations on objects in the bucket beginning with the ‘shared/’ object key prefix.
Note: In StorageGRID Webscale, objects created by a non-owner account (including anonymous accounts) are owned by the bucket owner account. The bucket policy applies to these objects.
{
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "SGWS": "95390887230002558202"
      },
      "Action": "s3:*",
      "Resource": [
        "urn:sgws:s3:::examplebucket",
        "urn:sgws:s3:::examplebucket/*"
      ]
    },
    {
      "Effect": "Allow",
      "Principal": {
        "SGWS": "31181711887329436680"
      },
      "Action": "s3:GetObject",
      "Resource": "urn:sgws:s3:::examplebucket/shared/*"
    },
    {
      "Effect": "Allow",
      "Principal": {
        "SGWS": "31181711887329436680"
      },
      "Action": "s3:ListBucket",
      "Resource": "urn:sgws:s3:::examplebucket",
      "Condition": {
        "StringLike": {
          "s3:prefix": "shared/*"
        }
      }
    }  
  ]
}

Example: Allow everyone read-only access to a bucket and full access by specified group

In this example, everyone including anonymous, is allowed to List the bucket and perform GET Object operations on all objects in the bucket, while only users belonging the group Marketing in the specified account are allowed full access.
{
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "SGWS": "urn:sgws:identity::95390887230002558202:federated-group/Marketing"
      },
      "Action": "s3:*",
      "Resource": [
        "urn:sgws:s3:::examplebucket",
        "urn:sgws:s3:::examplebucket/*"
      ]
    },
    {
      "Effect": "Allow",
      "Principal": "*",
      "Action": ["s3:ListBucket","s3:GetObject"],
      "Resource": [
        "urn:sgws:s3:::examplebucket",
        "urn:sgws:s3:::examplebucket/*"
      ]
    }
  ]
}

Example: Allow everyone read and write access to a bucket if client in IP range

In this example, everyone, including anonymous, is allowed to List the bucket and perform any Object operations on all objects in the bucket, provided that the requests come from a specified IP range (54.240.143.0 to 54.240.143.255, except 54.240.143.188). All other operations will be denied, and all requests outside of the IP range will be denied.
Note: The ‘Condition’ keyword is only supported in the Tenant Manager (StorageGRID Webscale version 10.4 or greater).
{ 
  "Statement": [
    {
      "Sid": "AllowEveryoneReadWriteAccessIfInSourceIpRange",
      "Effect": "Allow",
      "Principal": "*",
      "Action": [ "s3:*Object", "s3:ListBucket" ],
      "Resource": ["urn:sgws:s3:::examplebucket","urn:sgws:s3:::examplebucket/*"],
      "Condition": {
        "IpAddress": {"sgws:SourceIp": "54.240.143.0/24"},
        "NotIpAddress": {"sgws:SourceIp": "54.240.143.188"} 
      }
    }
  ]
}

Example: Allow full access to a bucket exclusively by a specified federated user

In this example, the federated user Bob is allowed full access to the examplebucket bucket and its objects. All other users, including ‘root’, are explicitly denied all operations. Note however that ‘root’ is never denied permissions to Put/Get/DeleteBucketPolicy.
{
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "SGWS": "urn:sgws:identity::95390887230002558202:federated-user/Bob"
      },
      "Action": [
        "s3:*"
      ],
      "Resource": [
        "urn:sgws:s3:::examplebucket",
        "urn:sgws:s3:::examplebucket/*"
      ]
    },
    {
      "Effect": "Deny",
      "NotPrincipal": {
        "SGWS": "urn:sgws:identity::95390887230002558202:federated-user/Bob"
      },
      "Action": [
        "s3:*"
      ],
      "Resource": [
        "urn:sgws:s3:::examplebucket",
        "urn:sgws:s3:::examplebucket/*"
      ]
    }
  ]
}