Policies in Wasabi Hot Cloud Storage

  • Updated on Dec 9, 2025
  • Published on Jul 22, 2022
  • 2 minute(s) read
Prev Next

Wasabi Supports Policies and Access Control Lists (ACLs)

Wasabi supports policies and ACLs to grant and deny access to buckets and objects in your account. ACLs, while useful in some circumstances, have generally been deprecated in favor of policies. ACLs have been integrated into Wasabi primarily for backward compatibility with developers' legacy systems that require such functionality.

ACLs in Wasabi are designed primarily to grant access to your Wasabi account to external Wasabi accounts as opposed to sub-users.

You should use bucket policies to restrict bucket or object (folder/file) access to specific sub-users (as well as external Wasabi accounts). Wasabi bucket policy functionality is often compatible with other cloud storage providers, and you can find additional Internet articles that explain how to use bucket policies to restrict access. 

Wasabi Policies

Each user and group can be associated with one or more policies to define the actions that a user or group member can perform and the conditions under which those actions can take place. You can attach a policy to a user, group, and/or role.

You can create up to 1000 policies per account. 

You can attach a policy to a bucket. This is described in Bucket Policy.

Wasabi provides predefined policies that you can attach to a user, group, and/or role. These policies are:

  • AdministratorAccess—Gives full access to all resources (IAM and S3) with no limitation whatsoever.
  • AmazonS3Full Access—Gives full access to all S3 resources, but no IAM access.
  • AmazonS3ReadOnlyAccess—Gives just the Get and List permissions on any S3 resource/bucket, but no IAM access.
  • IAMUserChangePassword—Gives the user permission to change his/her password upon initial sign in.
  • ManageWCSM Replication—Gives the user permission to manage Wasabi Cloud Sync Manager (WCSM) replication features. 
  • WasabiAccountStatsAccess—Gives root users full access to the account stats endpoints and to the bucket stats endpoints for all buckets.
  • WasabiAdministratorAccess—Gives full access to all resources (IAM  and S3) with no limitation whatsoever. This is similar to AdministratorAccess, above.
  • WasabiBucketStatsAccess—Gives sub-users limited access to the bucket utilization endpoints.
  • WasabiFullAccess—Gives full permissions to all S3 resources and sign in permissions to users.
  • WasabiManageEventNotifications—Gives the user permission to manage event notifications. 
  • WasabiModifyBillingAccess—Gives the user permission to modify the billing access portal.
  • WasabiReadOnlyAccess—Gives just the Get and List permissions to all S3 resources and login permissions to users.
  • WasabiViewAuditLogs—Gives the user permission to view and download the audit logs.
  • WasabiViewBillingAccess—Gives the user permission to view the billing access portal.
  • WasabiViewEventNotifications—Gives the user permission to view event notifications.
  • WasabiWriteOnlyAccess—Gives just the Put and MultipartAbort permissions to all S3 resources, but no IAM access. The user cannot sign in with just this policy attached.