Bucket Policies
Estimated time to read: 2 minutes
Below you can find examples of common bucket policies.
| Policy Type | Effect |
|---|---|
| Public Read Access | Allows anyone to read objects in the bucket. |
| User-Specific Access | Grants permissions to a specific IAM user. |
| IP Restriction | Limits access to requests from a specific IP range. |
| Deny All Except Certain IPs | Blocks access unless the request comes from an approved IP range. |
Access Control Bucket and Object ACL CORS
Set a Public Read Policy
This policy makes all objects in the bucket publicly readable:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": "*",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::<bucket_name>/*"
}
]
}
Apply this policy using:
Get a Bucket Policy
Check the Current Bucket Policy:
Remove a Bucket Policy
Remove a Bucket Policy:
Example Bucket Policies
Public readable
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": "*",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::<bucket_name>/*"
}
]
}
Grant Access to a Specific User
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": { "AWS": "arn:aws:iam::<tenant>:user/<user_id>" },
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::<bucket_name>/*"
}
]
}
Restrict Access to a Specific IP Range
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Deny",
"Principal": "*",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::<bucket_name>/*",
"Condition": {
"NotIpAddress": {
"aws:SourceIp": "10.0.0.0/24"
}
}
}
]
}
Allow Access to Specific IP Address Range
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::<bucket_name>/*",
"Condition": {
"IpAddress": {
"aws:SourceIp": "192.168.1.0/24"
}
}
}
]
}