download free 30 days trial version buy bucket explorer
Documentation  Download  Purchase  Support  FAQs   Forum   ScreenShots & Demos

Examples for Amazon S3 Bucket Policies

Bucket Policy is Amazon S3 feature, which provides facility to allow or deny certain action where as ACLs can grant permissions. You can choose one of it for giving different access on the S3 Object. We reccommend you to use Bucket Policy where you want to apply it on Group, User and Bucket. You can migrate ACL to Bucket Poilicy. Bucket Explorer supports Amazon S3's Bucket policy feature. This Bucket policy allows users to authorize policies which either grant or deny access to any number of accounts and across a range or set of keys. This page is listed in number of different types of Bucket Policies which you can set on the S3 Bucket for various purposes. You can set following Bucket Policies using PUT Bucket Policy request.
Click here to know how to apply Policy on the S3 Bucket using Bucket Explorer?

Syntax:

PUT /?policy HTTP/1.1
Host: Bucketname ;.s3.amazonaws.com
Date: date
Authorization: signatureValue
add your policy here
 

Various Examples to set Bucket policy:

  1. How to allow access to anonymous user
    • The following example policy allows access to anonymous user.


      {
      "Id": "ds",
      "Statement": [{
      "Action": "s3:GetObject",
      "Effect": "Allow",
      "Principal": {"AWS": "*"},
      "Resource": [
      "arn:aws:s3:::testbucket",
      "arn:aws:s3:::testbucket/*"
      ],
      "Sid": "1"
     }],
      "Version": "2008-10-17"
      }
     
  2. Bucket policy for allowing access to enable log delivery to an S3 Bucket
    • The following policy allows S3 Log Delivery in the Bucket for a specified account. You have to use ARN specified for this policy to identify the group of Log Delivery.


      {
      "Id": "LogPolicy",
      "Statement": [{
     "Action": [
      "s3:GetBucketAcl",
      "s3:GetObjectAcl",
      "s3:PutObject"
     ],
     "Effect": "Allow",
     "Principal": {"AWS": "arn:aws:iam::858827067514:root"},
     "Resource": [
      "arn:aws:s3::: testbucket /*",
      "arn:aws:s3::: testbucket "
     ],
    "Sid":"Enables the log delivery group"
      }],
      "Version": "2008-10-17"
     }
     
  3. Policy for Denying Access to Specific IP Addresses
    • This policy example shows how to deny access for the specified IP address. You should specify the IP address in the condition mentioned in the below example.
      .

     {
     "Id": "S3PolicyId1",
     "Statement": [
     {
      "Action": "s3:*",
      "Condition": {
     "IpAddress": {"aws:SourceIp": "192.168.0.125/24"},
     "NotIpAddress": {"aws:SourceIp": "192.168.143.124/14"}
      },
      "Effect": "Allow",
      "Principal": {"AWS": "*"},
      "Resource": "arn:aws:s3::: testbucket/*",
      "Sid": "IPAllow"
      },
      {
      "Action": "s3:*",
     "Condition": {"IpAddress": {"aws:SourceIp": "12.1.1.0/25"}},
      "Effect": "Deny",
      "Principal": {"AWS": "*"},
      "Resource": "arn:aws:s3::: testbucket/*",
      "Sid": "IP-Deny"
      }
      ],
      "Version": "2008-10-17"
      }
     
  4. Policy for Denying Access to Specific HTTP Referrer
    • This policy shows how to allow access on the basis of HTTP Referrer.


      {
     "Id": "policy example of http referer ",
     "Statement": [{
      "Action": "s3:GetObject",
      "Condition": {"StringLike": {"aws:Referer": [
     "http://www.bucketexplorer.com/*",
     "http://bucketexplorer.com/*"
      ]}},
      "Effect": "Allow",
      "Principal": "*",
      "Resource": "arn:aws:s3::: testbucket /*",
      "Sid": "Allow get requests referred by specific website"
     }],
     "Version": "2008-10-17"
      }