Bucket Policy
  • 05 Apr 2023
  • PDF

Bucket Policy

  • PDF

Article Summary

You can attach a policy to define the actions that can take place on a bucket and the conditions under which those actions can occur. In addition, you can edit an existing policy or delete it.

Defining a Bucket Policy

  1. Click for the bucket and click Settings.
  2. Click the POLICIES tab.
  3. If a policy is not already defined for the bucket, the panel will appear as:

    If the panel appears with a policy defined, you can edit it (see Editing a Bucket Policy).

    You can click to copy the Amazon Resource Name (ARN) to the clipboard. The follow are the general formats for ARNs:
    arn:aws:service:account-id:resource-id
    arn:aws:service:account-id:resource-type/resource-id
    arn:aws:service:account-id:resource-type:resource-id
  4. Enter code for the policy. For example:

    The following policy makes the bucket and content public.

    By default, public use of a bucket, folder, or file is allowed only by certain paid (not trial) accounts. If your account does not have access to this feature, contact Wasabi Support at support@wasabi.com for assistance.
    {
    "Version": "2012-10-17",
    "Statement": [
    {
    "Sid": "AllowPublicRead", "Effect": "Allow", "Principal": {
    "AWS": "*"
    },
    "Action": "s3:GetObject", "Resource": [
    "arn:aws:s3:::mybucket/*",
    "arn:aws:s3:::mybucket"
    ]
    }
    ]
    }

    The following policy is an example for just allowing a specific IP address:

    {
    "Id": "S3PolicyId1",
    "Version": "2012-10-17",
    "Statement": [
    {
    "Sid": "IPAllow",
    "Effect": "Allow", "Principal": {
    "AWS": "*",
    "Action": "s3:*",
    "Resource": "arn:aws:s3:::vbatra-ip-only/*", "Condition": {
    "IpAddress": {
    "aws:SourceIp": "77.19.132.0/24"
    },
    "NotIpAddress": {
    "aws:SourceIp": "76.19.132.120/32"
    }
    }
    }
    }
    ]
    }

    This policy grants permission to multiple accounts. In the example below, two accounts (arn:aws:iam::100000000164:root and arn:aws:iam::100000000162:root) are given access to objects under a bucket named multi-account.

    {
    "Version": "2012-10-17",
    "Statement": [
    {
    "Sid": "AddCannedAcl", "Effect": "Allow", "Principal": {
    "AWS": [
    "arn:aws:iam::100000000164:root", "arn:aws:iam::100000000162:root"
    ]
    },
    "Action": [ "s3:GetObject", "s3:ListBucket", "s3:PutObject", "s3:PutObjectAcl"
    ],
    "Resource": "arn:aws:s3:::multi-account/*"
    }
    ]
    }

    Note that syntax errors will be flagged as you enter information. In this example, the colon (:) is missing after “Statement” in line 3:

  5. When you see you can click SAVE to create the policy.

Editing a Bucket Policy

If a policy exists for a bucket, you can edit it.

  1. Click for the bucket and click Settings.
  2. Click the POLICIES tab.
  3. Edit the content of the policy, as required.
  4. Click SAVE.

Deleting a Bucket Policy

If a policy exists for a bucket, you can delete it.

  1. Click for the bucket and click Settings.
  2. Click the POLICIES tab.
  3. Click DELETE.



What's Next