Bucket policy examples
Bucket policies specify the access permissions for the bucket that the policy is attached to. Bucket policies are configured using the S3 PutBucketPolicy API. Note: The default for a bucket (No Policy) that only group members have full access to account’s buckets
A bucket policy can be configured using the AWS CLI as per the following command:
aws s3api --endpoint-url https://api-object.bluvalt.com:8082 --profile YOURPROFILE put-bucket-policy --bucket BUCKETNAME --policy file://policy.json
Allow everyone read-only access to a bucket In this example, everyone, including anonymous, is allowed to List the bucket and perform GetObject operations on all objects in the bucket.
{
"Statement": [
{
"Sid": "AllowEveryoneReadOnlyAccess",
"Effect": "Allow",
"Principal": "*",
"Action": [ "s3:GetObject", "s3:ListBucket" ],
"Resource": ["urn:aws:s3:::BUCKETNAME","urn:aws:s3:::BUCKETNAME/*"]
}
]
}
Allow full access to a bucket exclusively by a specified user In this example, the federated user Bob is allowed full access to the BUCKETNAME bucket and its objects. All other users are explicitly denied all operations.
Tenant ID: 00000000000000000000 User: Bob
{
"Statement": [
{
"Effect": "Allow",
"Principal": {
"SGWS": "urn:sgws:identity::00000000000000000000:federated-user/Bob"
},
"Action": [
"s3:*"
],
"Resource": [
"urn:aws:s3:::BUCKETNAME",
"urn:aws:s3:::BUCKETNAME/*"
]
},
{
"Effect": "Deny",
"NotPrincipal": {
"SGWS": "urn:sgws:identity::00000000000000000000:federated-user/Bob"
},
"Action": [
"s3:*"
],
"Resource": [
"urn:aws:s3:::BUCKETNAME",
"urn:aws:s3:::BUCKETNAME/*"
]
}
]
}
PutOverwriteObject permission (WORM)
In this example, the Deny Effect for PutOverwriteObject and DeleteObject protects the object’s data and metadata from being deleted or modified.
{
"Sid": "WORMExamplePolicy",
"Effect": "Deny",
"Action": ["s3:PutOverwriteObject", "s3:DeleteObject"],
"Resource": ["urn:aws:s3:::*"]
}