---
title: "Permissions: Defining a Policy and Enabling"
slug: "bucket-policy"
description: "Permissions are available to attach a policy to a bucket to define the actions that can take place on the bucket and the conditions under which those actions can occur. In addition to defining a bucket policy, you can edit an existing policy or delete it. Define, edit, and delete a bucket policy through bucket Settings (Permissions). "
tags: ["Account Settings", "Bucket Policy", "Delete Bucket Policy", "Edit Bucket Policy", "Policies", "Settings"]
updated: 2025-12-30T22:21:45Z
published: 2025-12-30T22:21:45Z
---

> ## Documentation Index
> Fetch the complete documentation index at: https://docs.wasabi.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Permissions: Defining a Policy and Enabling

Permissions are available to:

- Attach a policy to a bucket to define the actions that can take place on the bucket and the conditions under which those actions can occur. In addition to defining a bucket policy, you can edit an existing policy or delete it. Defining, editing, and deleting a bucket policy are described in this article.
- Define a [cross-origin resource sharing (CORS) configuration](https://docs.wasabi.com/docs/cross-origin-resource-sharing-cors), formatted in JSON, to describe how client web applications access resources from a domain different from its own.

## Defining a Bucket Policy

1. On the Buckets list, click ![](https://cdn.document360.io/bef0a1ea-7768-4d5a-b520-c4fe2f7fafad/Images/Documentation/image-1698327400423.png) for the desired bucket.
2. Click **Settings**.
3. Click the **Permissions**tab.

If a policy is not already defined for the bucket, the panel will be blank, as shown below.

![](https://cdn.document360.io/bef0a1ea-7768-4d5a-b520-c4fe2f7fafad/Images/Documentation/image-1727391395267.png)

If the panel appears with a policy defined, you can edit it (see [Editing a Bucket Policy](https://docs.wasabi.com/docs/bucket-policy#editing-a-bucket-policy)).

> You can click ![](https://cdn.document360.io/bef0a1ea-7768-4d5a-b520-c4fe2f7fafad/Images/Documentation/copy.png) to copy the Amazon Resource Name (ARN) to the clipboard. The following are the general formats for ARNs:
> 
> arn:aws:service:account-id:resource-id arn:aws:service:account-id:resource-type/resource-id arn:aws:service:account-id:resource-type:resource-id
4. Click **Edit**and then enter the code for the policy. For example:

![](https://cdn.document360.io/bef0a1ea-7768-4d5a-b520-c4fe2f7fafad/Images/Documentation/image-1718730404316.png)

The following policy makes the bucket and its content public.

> **By default, public use of a bucket, folder, or file is allowed only by certain paid (not trial) accounts. If your account does not have access to this feature, contact Wasabi Support at**[**support@wasabi.com**](mailto:support@wasabi.com)**for assistance.**

```plaintext
{
                "Version": "2012-10-17",
                "Statement": [
                {
                "Sid": "AllowPublicRead", "Effect": "Allow", "Principal": {
                "AWS": "*"
                },
                "Action": "s3:GetObject", "Resource": [
                "arn:aws:s3:::<BUCKET>/*",
                "arn:aws:s3:::<BUCKET>"
                ]
                }
                ]
                }
```

The following policy is an example of just allowing a specific IP address:

```plaintext
{
                "Id": "S3PolicyId1",
                "Version": "2012-10-17",
                "Statement": [
                {
                "Sid": "IPAllow",
                "Effect": "Allow", "Principal": {
                "AWS": "*",
                "Action": "s3:*",
                "Resource": "arn:aws:s3:::<BUCKET>/*", "Condition": {
                "IpAddress": {
                "aws:SourceIp": "77.19.132.0/24"
                },
                "NotIpAddress": {
                "aws:SourceIp": "76.19.132.120/32"
                }
                }
                }
                }
                ]
                }
```

This policy grants permission to multiple accounts. In the example below, two accounts (arn:aws:iam::100000000164:root and arn:aws:iam::100000000162:root) are given access to objects under a bucket named multi-account.

```plaintext
{
                "Version": "2012-10-17",
                "Statement": [
                {
                "Sid": "AddCannedAcl", "Effect": "Allow", "Principal": {
                "AWS": [
                "arn:aws:iam::100000000164:root", "arn:aws:iam::100000000162:root"
                ]
                },
                "Action": [ "s3:GetObject", "s3:ListBucket", "s3:PutObject", "s3:PutObjectAcl"
                ],
                "Resource": "arn:aws:s3:::multi-account/*"
                }
                ]
                }
```

Note that syntax errors will be flagged as you enter information. For example:

![](https://cdn.document360.io/bef0a1ea-7768-4d5a-b520-c4fe2f7fafad/Images/Documentation/image-1718729478236.png)
5. Click **Save**after entering the code.
6. When the policy code is valid, you can click **Save**to create the policy.

![](https://cdn.document360.io/bef0a1ea-7768-4d5a-b520-c4fe2f7fafad/Images/Documentation/image-1718736609392.png)

## Defining a Cross-Origin Resource Sharing (CORS) Policy

Refer to [Cross-Origin Resource Sharing (CORS)](https://docs.wasabi.com/docs/cross-origin-resource-sharing-cors).

## Editing a Bucket Policy

If a policy exists for a bucket, you can edit it.

1. On the Buckets list, click ![](https://cdn.document360.io/bef0a1ea-7768-4d5a-b520-c4fe2f7fafad/Images/Documentation/image-1698327400423.png) for the desired bucket.
2. Click **Settings**.
3. Click the **Permissions**tab.
4. Click **Edit**and then modify the content of the policy, as required.

![](https://cdn.document360.io/bef0a1ea-7768-4d5a-b520-c4fe2f7fafad/Images/Documentation/image-1718732497464.png)
5. Click **Save**.

## Deleting a Bucket Policy

If a policy exists for a bucket, you can delete it.

1. On the Buckets list, click ![](https://cdn.document360.io/bef0a1ea-7768-4d5a-b520-c4fe2f7fafad/Images/Documentation/image-1698327400423.png) for the desired bucket.
2. Click **Settings**.
3. Click the **Permissions**tab.
4. Click **Delete**.
5. A message requests that you confirm your decision to delete. Click **Delete**to confirm.

![](https://cdn.document360.io/bef0a1ea-7768-4d5a-b520-c4fe2f7fafad/Images/Documentation/image-1718736797284.png)

## Related

- [Bucket Settings](/bucket-management.md)