Permissions: Defining a Policy and Enabling

Updated on 25 Jun 2024
2 Minutes to read

Article summary

Did you find this summary helpful?

Thank you for your feedback

Permissions are available to attach a policy to a bucket to define the actions that can take place on the bucket and the conditions under which those actions can occur. In addition to defining a bucket policy, you can edit an existing policy or delete it. Defining, editing, and deleting a bucket policy are described in this article.

Defining a Bucket Policy

On the Buckets list, clickfor the desired bucket.
Click Settings.
Click the Permissions tab.
If a policy is not already defined for the bucket, the panel will be blank, as shown below.
If the panel appears with a policy defined, you can edit it (see Editing a Bucket Policy).
You can clickto copy the Amazon Resource Name (ARN) to the clipboard. The following are the general formats for ARNs:
arn:aws:service:account-id:resource-id
arn:aws:service:account-id:resource-type/resource-id
arn:aws:service:account-id:resource-type:resource-id

Click Edit and then enter code for the policy. For example:

The following policy makes the bucket and content public. Replace <BUCKET> with your bucket name.

By default, public use of a bucket, folder, or file is allowed only by certain paid (not trial) accounts. If your account does not have access to this feature, contact Wasabi Support at support@wasabi.com for assistance.

{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowPublicRead", "Effect": "Allow", "Principal": {
"AWS": "*"
},
"Action": "s3:GetObject", "Resource": [
"arn:aws:s3:::<BUCKET>/*",
"arn:aws:s3:::<BUCKET>"
]
}
]
}

The following policy is an example of just allowing a specific IP address. Replace <BUCKET> with your bucket name.

{
"Id": "S3PolicyId1",
"Version": "2012-10-17",
"Statement": [
{
"Sid": "IPAllow",
"Effect": "Allow", "Principal": {
"AWS": "*",
"Action": "s3:*",
"Resource": "arn:aws:s3:::<BUCKET>/*", "Condition": {
"IpAddress": {
"aws:SourceIp": "77.19.132.0/24"
},
"NotIpAddress": {
"aws:SourceIp": "76.19.132.120/32"
}
}
}
}
]
}

This policy below grants permission to multiple accounts. In the example code, two accounts (arn:aws:iam::100000000164:root and arn:aws:iam::100000000162:root) are given access to objects under a bucket named multi-account.

{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AddCannedAcl", "Effect": "Allow", "Principal": {
"AWS": [
"arn:aws:iam::100000000164:root", "arn:aws:iam::100000000162:root"
]
},
"Action": [ "s3:GetObject", "s3:ListBucket", "s3:PutObject", "s3:PutObjectAcl"
],
"Resource": "arn:aws:s3:::multi-account/*"
}
]
}

Note that syntax errors are flagged as you enter information. For example:

When the policy code is valid, you can click Save to create the policy.

Editing a Bucket Policy

If a policy exists for a bucket, you can edit it.

On the Buckets list, clickfor the desired bucket.
Click Settings.
Click the Permissions tab.
Click Edit and then modify the content of the policy, as required.
Click Save.

Deleting a Bucket Policy

If a policy exists for a bucket, you can delete it.

On the Buckets list, clickfor the desired bucket.
Click Settings.
Click the Permissions tab.
Click Delete.
A message asks that you confirm your decision to delete. Click Delete to confirm.

What's Next

Compliance: Enabling and Locking Compliance Mode

Table of contents

Defining a Bucket Policy
Editing a Bucket Policy
Deleting a Bucket Policy

WASABI and the WASABI logo are trademarks of Wasabi Technologies LLC and may not be used without permission of Wasabi Technologies. All other names are used for identification purposes only and are trademarks or registered trademarks of their respective companies.

Information presented herein is subject to change without notice. Companies, names, and data used in examples are fictitious unless otherwise noted. No part of this information may be reproduced or transmitted in any form by means electronic or mechanical, for any purpose, without express written permission of Wasabi Technologies.