Example bucket policies
Use the examples in this section to build StorageGRID access policies for buckets.
Bucket policies specify the access permissions for the bucket that the policy is attached to. You configure a bucket policy by using the S3 PutBucketPolicy API through one of these tools:
-
AWS CLI using this command (refer to Operations on buckets):
> aws s3api put-bucket-policy --bucket examplebucket --policy file://policy.json
Example: Allow everyone read-only access to a bucket
In this example, everyone, including anonymous, is allowed to list objects in the bucket and perform GetObject operations on all objects in the bucket. All other operations will be denied. Note that this policy might not be particularly useful because no one except the account root has permissions to write to the bucket.
{ "Statement": [ { "Sid": "AllowEveryoneReadOnlyAccess", "Effect": "Allow", "Principal": "*", "Action": [ "s3:GetObject", "s3:ListBucket" ], "Resource": ["arn:aws:s3:::examplebucket","arn:aws:s3:::examplebucket/*"] } ] }
Example: Allow everyone in one account full access, and everyone in another account read-only access to a bucket
In this example, everyone in one specified account is allowed full access to a bucket, while everyone in another specified account is only permitted to List the bucket and perform GetObject operations on objects in the bucket beginning with the shared/
object key prefix.
In StorageGRID, objects created by a non-owner account (including anonymous accounts) are owned by the bucket owner account. The bucket policy applies to these objects. |
{ "Statement": [ { "Effect": "Allow", "Principal": { "AWS": "95390887230002558202" }, "Action": "s3:*", "Resource": [ "arn:aws:s3:::examplebucket", "arn:aws:s3:::examplebucket/*" ] }, { "Effect": "Allow", "Principal": { "AWS": "31181711887329436680" }, "Action": "s3:GetObject", "Resource": "arn:aws:s3:::examplebucket/shared/*" }, { "Effect": "Allow", "Principal": { "AWS": "31181711887329436680" }, "Action": "s3:ListBucket", "Resource": "arn:aws:s3:::examplebucket", "Condition": { "StringLike": { "s3:prefix": "shared/*" } } } ] }
Example: Allow everyone read-only access to a bucket and full access by specified group
In this example, everyone including anonymous, is allowed to List the bucket and perform GetObject operations on all objects in the bucket, while only users belonging the group Marketing
in the specified account are allowed full access.
{ "Statement": [ { "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::95390887230002558202:federated-group/Marketing" }, "Action": "s3:*", "Resource": [ "arn:aws:s3:::examplebucket", "arn:aws:s3:::examplebucket/*" ] }, { "Effect": "Allow", "Principal": "*", "Action": ["s3:ListBucket","s3:GetObject"], "Resource": [ "arn:aws:s3:::examplebucket", "arn:aws:s3:::examplebucket/*" ] } ] }
Example: Allow everyone read and write access to a bucket if client in IP range
In this example, everyone, including anonymous, is allowed to List the bucket and perform any Object operations on all objects in the bucket, provided that the requests come from a specified IP range (54.240.143.0 to 54.240.143.255, except 54.240.143.188). All other operations will be denied, and all requests outside of the IP range will be denied.
{ "Statement": [ { "Sid": "AllowEveryoneReadWriteAccessIfInSourceIpRange", "Effect": "Allow", "Principal": "*", "Action": [ "s3:*Object", "s3:ListBucket" ], "Resource": ["arn:aws:s3:::examplebucket","arn:aws:s3:::examplebucket/*"], "Condition": { "IpAddress": {"aws:SourceIp": "54.240.143.0/24"}, "NotIpAddress": {"aws:SourceIp": "54.240.143.188"} } } ] }
Example: Allow full access to a bucket exclusively by a specified federated user
In this example, the federated user Alex is allowed full access to the examplebucket
bucket and its objects. All other users, including ‘root', are explicitly denied all operations. Note however that ‘root' is never denied permissions to Put/Get/DeleteBucketPolicy.
{ "Statement": [ { "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::95390887230002558202:federated-user/Alex" }, "Action": [ "s3:*" ], "Resource": [ "arn:aws:s3:::examplebucket", "arn:aws:s3:::examplebucket/*" ] }, { "Effect": "Deny", "NotPrincipal": { "AWS": "arn:aws:iam::95390887230002558202:federated-user/Alex" }, "Action": [ "s3:*" ], "Resource": [ "arn:aws:s3:::examplebucket", "arn:aws:s3:::examplebucket/*" ] } ] }
Example: PutOverwriteObject permission
In this example, the Deny
Effect for PutOverwriteObject and DeleteObject ensures that no one can overwrite or delete the object's data, user-defined metadata, and S3 object tagging.
{ "Statement": [ { "Effect": "Deny", "Principal": "*", "Action": [ "s3:PutOverwriteObject", "s3:DeleteObject", "s3:DeleteObjectVersion" ], "Resource": "arn:aws:s3:::wormbucket/*" }, { "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::95390887230002558202:federated-group/SomeGroup" }, "Action": "s3:ListBucket", "Resource": "arn:aws:s3:::wormbucket" }, { "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::95390887230002558202:federated-group/SomeGroup" }, "Action": "s3:*", "Resource": "arn:aws:s3:::wormbucket/*" } ] }