Bucket Policy Configuration Reference

A bucket policy is defined in a JSON file in which you define the rules you want to apply to your bucket so that you can control its access, as well as the objects in it. With a bucket policy, you can specify who can read, write, or delete the contents of your bucket.

This page describes the elements you can specify in a bucket policy configuration file. Once you have written the file, you need to apply it to your bucket. For more information, see Applying a Policy to Your Bucket.

Conditions are not yet supported by OUTSCALE Object Storage.

To create a bucket policy, you need to create a JSON file following this structure:

Configuration structure
{
   "Version": "2012-10-17",
   "Statement": [
      {
         "Effect": "Allow",
         "Principal": "*",
         "Action": "s3:CreateMultipartUpload",
         "Resource": "arn:aws:s3:::example-Bucket/Public/*"
      },
      {
         "Effect": "Deny",
         "Principal": "*",
         "Action": "s3:GetObject",
         "Resource": "arn:aws:s3:::example-Bucket/Private/*"
      },
      {
         "Effect": "Allow",
         "Principal": {
            "AWS": "arn:aws:iam::123456789012:root"
         },
         "Action": [
            "s3:PutObject",
            "s3:DeleteObject"
         ],
         "Resource": "arn:aws:s3:::example-bucket/Uploads/*"
      }
   ]
}

This file contains the following attributes:

Attribute

Required

Description

Version

Yes

Specifies the version of the policy language. The latest version of the policy must be 2012-10-17 (currently the latest) or greater.

Statement

Yes

Defines the specific permissions you wish to grant regarding your resources (bucket and objects).

Effect

Yes

Specifies whether to allow or deny access to the resources defined in the policy.

Principal

Yes

Indicates which AWS accounts are affected by the action.

Action or NotAction

Yes

One or more operations that can or cannot be performed. For more information on operations you can specify in your policy, see Bucket Policy Supported Actions List.

You can use wildcards (*) to grant access to multiple S3 actions. You can use them flexibly based on your access requirements:

  1. Adding a wildcard to the Action field grants access to all S3 actions. For example:

    "Action": [
   "s3:*"
]

  2. Surrounding part of an action name with wildcards (*) grants access to multiple actions containing that term. This example grants access to all actions related to objects, such as s3:GetObject, s3:PutObject, and s3:DeleteObject:

    "Action": [
   "s3:*Object*"
]

Make sure to use wildcards cautiously to avoid unintentionally over-permitting access to your resources.

Resource

Yes

Specifies the bucket and objects to which the permissions apply, identified by Amazon Resource Names (ARNs).

Related Pages

AWS™ and Amazon Web Services™ are trademarks of Amazon Technologies, Inc or its affiliates in the United States and/or other countries.

Export to PDF