Example bucket and Group(IAM) policies
Suggest changes
PDFs
Here are examples of bucket policies and group policies(IAM Policies).
Group Policies (IAM)
Home Directory style bucket access
This group policy will only allow users to access objects in the bucket named the users username.
"Statement": [
{
"Sid": "AllowListBucketOfASpecificUserPrefix",
"Effect": "Allow",
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::home",
"Condition": {
"StringLike": {
"s3:prefix": "${aws:username}/*"
}
}
},
{
"Sid": "AllowUserSpecificActionsOnlyInTheSpecificUserPrefix",
"Effect": "Allow",
"Action": "s3:*Object",
"Resource": "arn:aws:s3:::home/?/?/${aws:username}/*"
}
]
}Deny object lock bucket creation
This group policy will restrict users from creating a bucket with object lock enabled on the bucket.
|
This policy is not enforced in the StorageGRID UI, it is only enforced by S3 API. |
{
"Statement": [
{
"Action": "s3:*",
"Effect": "Allow",
"Resource": "arn:aws:s3:::*"
},
{
"Action": [
"s3:PutBucketObjectLockConfiguration",
"s3:PutBucketVersioning"
],
"Effect": "Deny",
"Resource": "arn:aws:s3:::*"
}
]
}Object lock retention limit
This Bucket policy will restrict Object-Lock retention duration to 10 days or less
{
"Version":"2012-10-17",
"Id":"CustSetRetentionLimits",
"Statement": [
{
"Sid":"CustSetRetentionPeriod",
"Effect":"Deny",
"Principal":"*",
"Action": [
"s3:PutObjectRetention"
],
"Resource":"arn:aws:s3:::testlock-01/*",
"Condition": {
"NumericGreaterThan": {
"s3:object-lock-remaining-retention-days":"10"
}
}
}
]
}Restrict users from deleting objects by versionID
This group policy will restrict users from deleting versioned objects by versionID
{
"Statement": [
{
"Action": [
"s3:DeleteObjectVersion"
],
"Effect": "Deny",
"Resource": "arn:aws:s3:::*"
},
{
"Action": "s3:*",
"Effect": "Allow",
"Resource": "arn:aws:s3:::*"
}
]
}This bucket policy will restrict a user(identified by userID "56622399308951294926") from deleting versioned objects by versionID
{
"Statement": [
{
"Action": [
"s3:DeleteObjectVersion"
],
"Effect": "Deny",
"Resource": "arn:aws:s3:::verdeny/*",
"Principal": {
"AWS": [
"56622399308951294926"
]
}
},
{
"Action": "s3:*",
"Effect": "Allow",
"Resource": "arn:aws:s3:::verdeny/*",
"Principal": {
"AWS": [
"56622399308951294926"
]
}
}
]
}Restrict bucket to single user with read-only access
This policy allows a single user to have read-only access to a bucket and explicitly denys access to all other users. Grouping the Deny statements at the top of the policy is a good practice for faster evaluation.
{
"Statement": [
{
"Sid": "Deny non user1",
"Effect": "Deny",
"NotPrincipal": {
"AWS": "urn:sgws:identity::34921514133002833665:user/user1"
},
"Action": [
"s3:*"
],
"Resource": [
"urn:sgws:s3:::bucket1",
"urn:sgws:s3:::bucket1/*"
]
},
{
"Sid": "Allow user1 read access to bucket bucket1",
"Effect": "Allow",
"Principal": {
"AWS": "urn:sgws:identity::34921514133002833665:user/user1"
},
"Action": [
"s3:GetObject",
"s3:ListBucket"
],
"Resource": [
"urn:sgws:s3:::bucket1",
"urn:sgws:s3:::bucket1/*"
]
}
]
}Restrict a group to single subdirectory (prefix) with read-only access
This policy allows members of the group to have read-only access to a subdirectory (prefix) within a bucket. The bucket name is "study" and the subdirectory is "study01".
{
"Statement": [
{
"Sid": "AllowUserToSeeBucketListInTheConsole",
"Action": [
"s3:ListAllMyBuckets"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::*"
]
},
{
"Sid": "AllowRootAndstudyListingOfBucket",
"Action": [
"s3:ListBucket"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3::: study"
],
"Condition": {
"StringEquals": {
"s3:prefix": [
"",
"study01/"
],
"s3:delimiter": [
"/"
]
}
}
},
{
"Sid": "AllowListingOfstudy01",
"Action": [
"s3:ListBucket"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::study"
],
"Condition": {
"StringLike": {
"s3:prefix": [
"study01/*"
]
}
}
},
{
"Sid": "AllowAllS3ActionsInstudy01Folder",
"Effect": "Allow",
"Action": [
"s3:Getobject"
],
"Resource": [
"arn:aws:s3:::study/study01/*"
]
}
]
}