An S3 bucket policy is an object that allows you to manage access to specific buckets. They are structured with JSON-based access policy language.
To start with, set up s3cmd, if you haven't done so already. Here's an article to help you with that: Object storage: How to use s3cmd and s3fs.
To enforce a policy located in a JSON file called policy.json upon a bucket called mybucket, we run the command:
s3cmd setpolicy policy.json s3://mybucket
Sample scenarios
Grant any user read-access to the bucket:
{
"Version": "2012-10-17",
"Id": "policy-read-any",
"Statement": [
{
"Sid": "read-any",
"Effect": "Allow",
"Principal": {
"AWS": [
"*"
]
},
"Action": [
"s3:ListBucket",
"s3:GetObject"
],
"Resource": [
"arn:aws:s3:::*"
]
}
]
}
Grant any user read and write access to the bucket:
{
"Version": "2012-10-17",
"Id": "policy-read-any",
"Statement": [
{
"Sid": "read-write-any",
"Effect": "Allow",
"Principal": {
"AWS": [
"*"
]
},
"Action": [
"s3:ListBucket",
"s3:GetObject",
"s3:PutObject"
],
"Resource": [
"arn:aws:s3:::*"
]
}
]
}
Put up IP restrictions to read and write to a bucket:
{
"Sid": "AllowIP",
"Effect": "Deny",
"Principal": {
"AWS": ["*"]
},
"Action": [
"s3:ListBucket",
"s3:GetObject",
"s3:PutObject"
],
"Resource": [
"arn:aws:s3:::*"
],
"Condition": {
"IpAddress": {
"aws:SourceIp": ["IP-ADDRESS/23"]
}
}
}
Grant access to specific project credentials
{
"Version": "2012-10-17",
"Id": "S3PolicySomeROSomeRW",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::<PROJECT_ID>:root"
},
"Action": [
"s3:ListBucket",
"s3:GetObject",
"s3:PutObject"
],
"Resource": [
"arn:aws:s3:::*"
]
},
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::<PROJECT_ID>:root"
},
"Action": [
"s3:ListBucket",
"s3:GetObject"
],
"Resource": [
"arn:aws:s3:::*"
]
}
]
}