Working With a Bucket Policy

You can attach a policy to define the actions that can take place on a bucket and the conditions under which those actions can occur. In addition, you can edit an existing policy or delete it.

Defining a Bucket Policy

  1. Click three_dots.png for the bucket and click Settings.

  2. Click the POLICIES tab.

  3. If a policy is not already defined for the bucket, the panel will appear as:

  4. policies-new.png 

    If the panel appears with a policy defined, you can edit it (see Editing a Bucket Policy).

       Note:   You click notepad_3.png to copy the Amazon Resource Name (ARN) to the clipboard.

  5. Enter code for the policy. For example:

  6. policies-new2.png 

    This policy makes the bucket and content public:

    {

     "Version": "2012-10-17",

     "Statement": [

       {

         "Sid": "AllowPublicRead",

         "Effect": "Allow",

         "Principal": {

           "AWS": "*"

         },

         "Action": "s3:GetObject",

         "Resource": [

           "arn:aws:s3:::mybucket/*",

           "arn:aws:s3:::mybucket"

         ]

       }

     ]

    }

    The following policy is an example for just allowing a specific IP address:

    {

     "Id": "S3PolicyId1",

     "Version": "2012-10-17",

     "Statement": [

       {

         "Sid": "IPAllow",

         "Effect": "Allow",

         "Principal": {

           "AWS": "*"

         },

         "Action": "s3:*",

         "Resource": "arn:aws:s3:::vbatra-ip-only/*",

         "Condition": {

           "IpAddress": {

             "aws:SourceIp": "77.19.132.0/24"

           },

           "NotIpAddress": {

             "aws:SourceIp": "76.19.132.120/32"

           }

         }

       }

     ]

    }

    This policy grants permission to multiple accounts. In the example below, two accounts (arn:aws:iam::100000000164:root and arn:aws:iam::100000000162:root) are given access to objects under a bucket named multi-account.

    {

     "Version": "2012-10-17",

     "Statement": [

       {

         "Sid": "AddCannedAcl",

         "Effect": "Allow",

         "Principal": {

           "AWS": [

             "arn:aws:iam::100000000164:root",

             "arn:aws:iam::100000000162:root"

           ]

         },

         "Action": [

           "s3:GetObject",

           "s3:ListBucket",

           "s3:PutObject",

           "s3:PutObjectAcl"

         ],

         "Resource": "arn:aws:s3:::multi-account/*"

       }

     ]

    }

    Note that syntax errors will be flagged as you enter information. In this example, the colon (:) is missing after “Statement” in line 3:

    policies-new3.png 

  7. When you see 111-policies.png, you can click SAVE to create the policy.

Editing a Bucket Policy

If a policy exists for a bucket, you can edit it.

  1. Click three_dots.png for the bucket and click Settings.

  2. Click the POLICIES tab.

  3. Edit the content of the policy, as required.

  4. Click SAVE.

Deleting a Bucket Policy

If a policy exists for a bucket, you can delete it.

  1. Click three_dots.png for the bucket and click Settings.

  2. Click the POLICIES tab.

  3. Click DELETE.