Sample Bucket Policy

Example for bucket policy.

The following bucket policy allows all users in group1 to get, put, and delete objects, and list the bucket contents. The ${bucket} keyword is a placeholder that the system automatically replaces with the bucket name.

  {
    "Version": "2012-10-17",
    "Id": "PolicyContent1",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": "arn:primary:default:group:group1",
            "Action": ["s3:GetObject", "s3:PutObject", "s3:DeleteObject"],
            "Resource": "arn:aws:s3:::${bucket}/*"
        },
        {
            "Effect": "Allow",
            "Principal": "arn:primary:default:group:group1",
            "Action": ["s3:ListBucket"],
            "Resource": "arn:aws:s3:::${bucket}"
        }
    ]
}

The following policy allows all users in group1 to get, put, and delete objects, and list the bucket contents while also denying user1 and user2 in qagroup1 permission to perform get, put, and delete operations.

{
    "Version": "2012-10-17",
    "Id": "PolicyContent1",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": "arn:primary:default:group:group1",
            "Action": ["s3:GetObject", "s3:PutObject", "s3:DeleteObject"],
            "Resource": "arn:aws:s3:::${bucket}/*"
        },
        {
            "Effect": "Deny",
            "Principal": {
                "AWS": [
                    "arn:primary:default:user:user1",
                    "arn:primary:default:user:user2"
                ]
            },
            "Action": ["s3:GetObject", "s3:PutObject", "s3:DeleteObject"],
            "Resource": "arn:aws:s3:::${bucket}/*"
        },
        {
            "Effect": "Allow",
            "Principal": "arn:primary:default:group:group1",
            "Action": ["s3:ListBucket"],
            "Resource": "arn:aws:s3:::${bucket}"
        }
    ]
}

The following policy allows user1 to perform all the specified operations:

{
  "ID": "PolicyContent1",
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": "arn:primary:default:user:user1",
      "Action": [
        "s3:GetObjectRetention",
        "s3:GetObjectTagging",
        "s3:DeleteObjectTagging",
        "s3:DeleteObjectVersionTagging",
        "s3:GetObject",
        "s3:GetObjectLegalHold",
        "s3:PutObject",
        "s3:PutObjectLegalHold",
        "s3:PutObjectRetention",
        "s3:PutObjectTagging",
        "s3:DeleteObject"
      ],
      "Resource": "arn:aws:s3:::${bucket}/*"
    },
    {
      "Effect": "Allow",
      "Principal": "arn:primary:default:user:user1",
      "Action": [
        "s3:DeleteBucket",
        "s3:DeleteBucketPolicy",
        "s3:GetBucketPolicy",
        "s3:GetBucketTagging",
        "s3:ListBucket",
        "s3:PutBucketPolicy",
        "s3:PutBucketTagging"      ],
        "Resource": "arn:aws:s3:::${bucket}"
    }
  ]
}

HPE Ezmeral Data Fabric 7.9 Documentation
Abstract	This site or PDF file contains documentation for the as-a-service platform, HPE Ezmeral Data Fabric version 7.9, including installation, configuration, administration, and reference content.
Published	November 2024
Edition	7.9.0