An S3 bucket policy is an object that allows you to manage access to specific buckets. They are structured with JSON-based access policy language.
To start with, set up s3cmd
, if you haven't done so already. Here's an article to help you with that: Object storage: How to use s3cmd and s3fs.
To enforce a policy located in a JSON file called policy.json upon a bucket called mybucket, we run the command:
s3cmd setpolicy policy.json s3://mybucket
Sample scenarios
Grant any user read-access to the bucket:
{ "Version": "2012-10-17", "Id": "policy-read-any", "Statement": [ { "Sid": "read-any", "Effect": "Allow", "Principal": { "AWS": [ "*" ] }, "Action": [ "s3:ListBucket", "s3:GetObject" ], "Resource": [ "arn:aws:s3:::*" ] } ] }
Grant any user read and write access to the bucket:
{ "Version": "2012-10-17", "Id": "policy-read-any", "Statement": [ { "Sid": "read-write-any", "Effect": "Allow", "Principal": { "AWS": [ "*" ] }, "Action": [ "s3:ListBucket", "s3:GetObject", "s3:PutObject" ], "Resource": [ "arn:aws:s3:::*" ] } ] }
Put up IP restrictions to read and write to a bucket:
{ "Sid": "AllowIP", "Effect": "Deny", "Principal": { "AWS": ["*"] }, "Action": [ "s3:ListBucket", "s3:GetObject", "s3:PutObject" ], "Resource": [ "arn:aws:s3:::*" ], "Condition": { "IpAddress": { "aws:SourceIp": ["IP-ADDRESS/23"] } } }
Grant access to specific project credentials
{ "Version": "2012-10-17", "Id": "S3PolicySomeROSomeRW", "Statement": [ { "Sid": "", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::<PROJECT_ID>:root" }, "Action": [ "s3:ListBucket", "s3:GetObject", "s3:PutObject" ], "Resource": [ "arn:aws:s3:::*" ] }, { "Sid": "", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::<PROJECT_ID>:root" }, "Action": [ "s3:ListBucket", "s3:GetObject" ], "Resource": [ "arn:aws:s3:::*" ] } ] }