Bucket Access Restriction Based on a Resource Policy

  • Updated on Feb 18, 2026
  • Published on Dec 19, 2023
  • 4 minute(s) read
Prev Next

When sub-users are defined in the Wasabi account, you can use either resource-based or identity-based policies to restrict bucket access. Resource-based policies, as described in this article, are applied to resources (buckets), whereas identity-based policies are assigned to groups or users. (Also refer to Object Access Restriction Based on a Policy.)

If  your company has numerous users, you may want to automate the entire process of creating users, buckets, policies, groups, and delegated user access. Refer to Automating Infrastructure Design for Wasabi.

This article provides examples of resource-based policies used to restrict users who can access a particular bucket and the S3 protocol actions they may perform. Resource-based policies can also be implemented to ensure that only S3 protocol access over encrypted HTTPS is allowed to access the bucket.

Notation in the policy examples includes:

  • Version—This number specifies the policy language version. It does not represent the current date.

  • AccountNumber—Get this by looking at the Users list on the Wasabi Console. The AccountNumber is the same for all users under the same account.

  • User1, User2, and so—Replace these with the actual user names.

  • BucketName—Replace this with the bucket name.

  • Action—s3:* allows all S3 actions. However, you can use a more restrictive list of S3 actions such as the following that only allows users to list objects in the bucket and get objects, but not delete or upload objects:

    "Action": ["s3:GetObject","s3:ListBucket"],

Policy to Limit User Bucket Access

This policy limits who can access a particular bucket. The policy has an implicit deny-all entry that prevents a sub-user (non-Root user) from accessing the bucket unless the user is explicitly specified in the policy. The policy is applied to the resource (the bucket), not to users/groups. 

{
        "Version": "2012-10-17",
        "Statement": [
        {
        "Sid": "LimitBucketAccess",
        "Effect": "Allow",
        "Principal": {
        "AWS": [
        "arn:aws:iam::AccountNumber:user/User1",
        "arn:aws:iam::AccountNumber:user/User2",
        "arn:aws:iam::AccountNumber:user/UserN"
        ]
        },
        "Action": "s3:*",
        "Resource": [
        "arn:aws:s3:::BucketName",
        "arn:aws:s3:::BucketName/*"
        ]
        }
        ]
        }

Policy to Limit User Bucket Access and Force HTTPS

This is the same resource-based policy as above, but also forces the use of HTTPS, mandating the use of encryption while the data is in transit.

{
        "Version": "2012-10-17",
        "Statement": [
        {
        "Sid": "LimitBucketAccess",
        "Effect": "Allow",
        "Principal": {
        "AWS": [
        "arn:aws:iam::AccountNumber:user/User1",
        "arn:aws:iam::AccountNumber:user/User2",
        "arn:aws:iam::AccountNumber:user/UserN"
        ]
        },
        "Action": "s3:*",
        "Resource": [
        "arn:aws:s3:::BucketName",
        "arn:aws:s3:::BucketName/*"
        ]
        },
        {
        "Sid": "EnforceHTTPS",
        "Effect": "Deny",
        "Principal": {
        "AWS": "*"
        },
        "Action": "s3:*",
        "Resource": [
        "arn:aws:s3:::BucketName",
        "arn:aws:s3:::BucketName/*"
        ],
        "Condition": {
        "Bool": {
        "aws:SecureTransport": "false"
        }
        }
        }
        ]
        }

Add-On Identity-Based Policy for S3 Client Compatibility

In addition to the resource-based policies above, you can use the following identity-based policy for compatibility with more S3 client applications. Apply it preferably to a user group or individual users.  

Some S3 clients require that all buckets can be listed, and the client will fail without this policy. Use this policy only if you want users to see the names of other users' buckets.

{
        "Version": "2012-10-17",
        "Statement": [
        {
        "Effect": "Allow",
        "Action": "s3:ListAllMyBuckets",
        "Resource": "arn:aws:s3:::*"
        }
        ]
        }

Policy to Force HTTPS Without User Restrictions

This policy only forces the use of HTTPS when accessing the bucket data. It does not restrict user access.

{
        "Version": "2012-10-17",
        "Statement": [
        {
        "Sid": "AllowBucketAccess",
        "Effect": "Allow",
        "Principal": {
        "AWS": [
        "arn:aws:iam::AccountNumber:*"
        ]
        },
        "Action": "s3:*",
        "Resource": [
        "arn:aws:s3:::BucketName",
        "arn:aws:s3:::BucketName/*"
        ]
        },
        {
        "Sid": "EnforceHTTPS",
        "Effect": "Deny",
        "Principal": {
        "AWS": "*"
        },
        "Action": "s3:*",
        "Resource": [
        "arn:aws:s3:::BucketName",
        "arn:aws:s3:::BucketName/*"
        ],
        "Condition": {
        "Bool": {
        "aws:SecureTransport": "false"
        }
        }
        }
        ]
        }

Policy to Force HTTPS Without Any Non-Root User Access

Use this policy to force encrypted HTTPS access. You can use other identity-based policies in conjunction with this bucket policy to allow user access to the bucket.

{
        "Version": "2012-10-17",
        "Statement": [
        {
        "Sid": "EnforceHTTPS",
        "Effect": "Deny",
        "Principal": {
        "AWS": "*"
        },
        "Action": "s3:*",
        "Resource": [
        "arn:aws:s3:::BucketName",
        "arn:aws:s3:::BucketName/*"
        ],
        "Condition": {
        "Bool": {
        "aws:SecureTransport": "false"
        }
        }
        }
        ]
        }