Contents x
    Bucket Policy
    • 05 Apr 2023
    • Print
    • PDF
    Contents

    Bucket Policy

    • Updated on 05 Apr 2023
    • Print
    • PDF
    Article Summary

    You can attach a policy to define the actions that can take place on a bucket and the conditions under which those actions can occur. In addition, you can edit an existing policy or delete it.

    Defining a Bucket Policy

    1. Click for the bucket and click Settings.
    2. Click the POLICIES tab.
    3. If a policy is not already defined for the bucket, the panel will appear as:

      If the panel appears with a policy defined, you can edit it (see Editing a Bucket Policy).

      You can click to copy the Amazon Resource Name (ARN) to the clipboard. The follow are the general formats for ARNs:
      arn:aws:service:account-id:resource-id
      arn:aws:service:account-id:resource-type/resource-id
      arn:aws:service:account-id:resource-type:resource-id
    4. Enter code for the policy. For example:

      The following policy makes the bucket and content public.

      By default, public use of a bucket, folder, or file is allowed only by certain paid (not trial) accounts. If your account does not have access to this feature, contact Wasabi Support at support@wasabi.com for assistance.
      {
      "Version": "2012-10-17",
      "Statement": [
      {
      "Sid": "AllowPublicRead", "Effect": "Allow", "Principal": {
      "AWS": "*"
      },
      "Action": "s3:GetObject", "Resource": [
      "arn:aws:s3:::mybucket/*",
      "arn:aws:s3:::mybucket"
      ]
      }
      ]
      }

      The following policy is an example for just allowing a specific IP address:

      {
      "Id": "S3PolicyId1",
      "Version": "2012-10-17",
      "Statement": [
      {
      "Sid": "IPAllow",
      "Effect": "Allow", "Principal": {
      "AWS": "*",
      "Action": "s3:*",
      "Resource": "arn:aws:s3:::vbatra-ip-only/*", "Condition": {
      "IpAddress": {
      "aws:SourceIp": "77.19.132.0/24"
      },
      "NotIpAddress": {
      "aws:SourceIp": "76.19.132.120/32"
      }
      }
      }
      }
      ]
      }

      This policy grants permission to multiple accounts. In the example below, two accounts (arn:aws:iam::100000000164:root and arn:aws:iam::100000000162:root) are given access to objects under a bucket named multi-account.

      {
      "Version": "2012-10-17",
      "Statement": [
      {
      "Sid": "AddCannedAcl", "Effect": "Allow", "Principal": {
      "AWS": [
      "arn:aws:iam::100000000164:root", "arn:aws:iam::100000000162:root"
      ]
      },
      "Action": [ "s3:GetObject", "s3:ListBucket", "s3:PutObject", "s3:PutObjectAcl"
      ],
      "Resource": "arn:aws:s3:::multi-account/*"
      }
      ]
      }

      Note that syntax errors will be flagged as you enter information. In this example, the colon (:) is missing after “Statement” in line 3:

    5. When you see you can click SAVE to create the policy.

    Editing a Bucket Policy

    If a policy exists for a bucket, you can edit it.

    1. Click for the bucket and click Settings.
    2. Click the POLICIES tab.
    3. Edit the content of the policy, as required.
    4. Click SAVE.

    Deleting a Bucket Policy

    If a policy exists for a bucket, you can delete it.

    1. Click for the bucket and click Settings.
    2. Click the POLICIES tab.
    3. Click DELETE.


    What's Next
    Copyright © 2023 by Wasabi Technologies LLC
    111 Huntington Avenue, Suite 2860, Boston, MA 02199
    United States
    All Rights Reserved
    Visit us at https://wasabi.com
    WASABI and the WASABI logo are trademarks of Wasabi Technologies LLC and may not be used without permission of Wasabi Technologies. All other names are used for identification purposes only and are trademarks or registered trademarks of their respective companies.

    Information presented herein is subject to change without notice. Companies, names, and data used in examples are fictitious unless otherwise noted. No part of this information may be reproduced or transmitted in any form by means electronic or mechanical, for any purpose, without express written permission of Wasabi Technologies.