Bucket Policies

Sample Bucket policies

• Make all objects within the bucket “my-super-bucket” public readable

{ "Statement":[ { "Sid": "Example-policy1", "Effect":"Allow", "Principal":"*", "Action":"s3:GetObject", "Resource":"urn:sgws:s3:::my-super-bucket/*" } ] }

• Make the file “picture.jpg” within the bucket “my-super-bucket” public readable

{ "Statement":[ { "Sid": "Example-policy2", "Effect":"Allow", "Principal":"*", "Action":"s3:GetObject", "Resource":"urn:sgws:s3:::my-super-bucket/picture.jpg" } ] }

• Restrict full access to a bucket to a specific credential group within the same project

{ "Statement": [ { "Sid": "allow-specific-credential-group", "Effect": "Deny", "NotPrincipal": { "AWS": "urn:sgws:identity::12345678901234567890:group/credentials-group-1234" }, "Action": [ "s3:*" ], "Resource": [ "arn:aws:s3:::my-super-bucket", "arn:aws:s3:::my-super-bucket/*" ] } ] }

• Read-Only access for objects within the bucket “my-super-bucket” for all credential groups except “credential-group-1234” which still has full access.

{ "Statement": [ { "Sid": "allow-specific-credential-group", "Effect": "Deny", "NotPrincipal": { "AWS": "urn:sgws:identity::12345678901234567890:group/credentials-group-1234" }, "Action": [ "s3:Put*", "s3:Delete*", "s3:GetBucket*", "s3:GetEncryption*", "s3:List*" ], "Resource": [ "arn:aws:s3:::my-super-bucket", "arn:aws:s3:::my-super-bucket/*" ] } ] }

• Allow public read access to objects and write / delete only for a specific credential group on bucket “my-super-bucket”

{ "Statement": [ { "Sid": "public-read", "Effect": "Allow", "Principal": "*", "Action": [ "s3:GetObject" ], "Resource": [ "arn:aws:s3:::my-super-bucket", "arn:aws:s3:::my-super-bucket/*" ] }, { "Sid": "allow-specific-credential-group", "Effect": "Deny", "NotPrincipal": { "AWS": "urn:sgws:identity::12345678901234567890:group/credentials-group-1234" }, "Action": [ "s3:Put*", "s3:Delete*", "s3:GetBucket*", "s3:GetEncryption*", "s3:List*" ], "Resource": [ "arn:aws:s3:::my-super-bucket", "arn:aws:s3:::my-super-bucket/*" ] } ] }

• Restrict access to a bucket to an Source IP and also limit full access to “credential-group-1234”. All other credential groups can just perform list and get operations on this bucket

{ "Statement": [ { "Sid": "Restrict-IP-Range", "Effect": "Deny", "Principal": "*", "Action": [ "s3:*" ], "Resource": [ "arn:aws:s3:::my-super-bucket/*", "arn:aws:s3:::my-super-bucket" ], "Condition": { "NotIpAddress": { "aws:SourceIp": [ "192.168.1.3", "192.168.1.4" ] } } }, { "Sid": "Restrict-Group2", "Effect": "Deny", "NotPrincipal": { "AWS": "urn:sgws:identity::12345678901234567890:group/credentials-group-1234" }, "Action": [ "s3:Create*", "s3:Put*", "s3:Delete*", "s3:Get*" ], "Resource": [ "arn:aws:s3:::my-super-bucket/*", "arn:aws:s3:::my-super-bucket" ] } ] }

• Sample policy with multiple statements and conditions

{ "Statement": [ { "Effect": "Allow", "Action": "s3:*", "Principal": { "AWS": "urn:sgws:identity::12345678901234567890:group/credentials-group-1234" }, "Resource": "urn:sgws:s3:::my-super-bucket/*" }, { "Effect": "Allow", "Action": "s3:GetObject", "Principal": { "AWS": "urn:sgws:identity::12345678901234567890:group/credentials-group-4567" }, "Resource": "urn:sgws:s3:::my-super-bucket/*", "Condition": { "IpAddress": { "aws:SourceIp": [ "192.168.1.10", "192.168.1.20" ] }, "NotIpAddress": { "aws:SourceIp": "0.0.0.0" } } } ] }

Put Bucket policy

Put your policy into a json file and then apply it using:

s3cmd setpolicy FILEs3://BUCKETe.g. s3cmd setpolicy policy.json s3://my-super-bucket

Get Bucket policy

With s3cmd there is no dedicated command to just print the bucket policy.

But you can use the “info” command to print the policy and additional information on the bucket/object.

s3cmd infos3://BUCKET[/OBJECT]
e.g. s3cmd infos3://my-super-bucket

Delete Bucket policy

You can remove a policy from a bucket using:

s3cmd dellifecycles3://BUCKET
e.g. s3cmd dellifecycles3://my-super-bucket