Buckets Policy Examples

Bucket policy examples

Bucket policies specify the access permissions for the bucket that the policy is attached to. Bucket policies are configured using the S3 PutBucketPolicy API. Note: The default for a bucket (No Policy) that only group members have full access to account’s buckets

A bucket policy can be configured using the AWS CLI as per the following command:

aws s3api --endpoint-url https://api-object.bluvalt.com:8082 --profile YOURPROFILE put-bucket-policy --bucket BUCKETNAME --policy file://policy.json

Allow everyone read-only access to a bucket In this example, everyone, including anonymous, is allowed to List the bucket and perform GetObject operations on all objects in the bucket.

{ 
  "Statement": [
    {
      "Sid": "AllowEveryoneReadOnlyAccess",
      "Effect": "Allow",
      "Principal": "*",
      "Action": [ "s3:GetObject", "s3:ListBucket" ],
      "Resource": ["urn:aws:s3:::BUCKETNAME","urn:aws:s3:::BUCKETNAME/*"]
    }
  ]
}

Allow full access to a bucket exclusively by a specified user In this example, the federated user Bob is allowed full access to the BUCKETNAME bucket and its objects. All other users are explicitly denied all operations.

Tenant ID: 00000000000000000000 User: Bob

{
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "SGWS": "urn:sgws:identity::00000000000000000000:federated-user/Bob"
      },
      "Action": [
        "s3:*"
      ],
      "Resource": [
        "urn:aws:s3:::BUCKETNAME",
        "urn:aws:s3:::BUCKETNAME/*"
      ]
    },
    {
      "Effect": "Deny",
      "NotPrincipal": {
        "SGWS": "urn:sgws:identity::00000000000000000000:federated-user/Bob"
      },
      "Action": [
        "s3:*"
      ],
      "Resource": [
        "urn:aws:s3:::BUCKETNAME",
        "urn:aws:s3:::BUCKETNAME/*"
      ]
    }
  ]
}

PutOverwriteObject permission (WORM)

In this example, the Deny Effect for PutOverwriteObject and DeleteObject protects the object’s data and metadata from being deleted or modified.

{
"Sid": "WORMExamplePolicy",
"Effect": "Deny",
"Action": ["s3:PutOverwriteObject", "s3:DeleteObject"],
"Resource": ["urn:aws:s3:::*"]
}