Sample Bucket Policy
Example for bucket policy.
The following bucket policy allows all users in group1 to get, put, and delete
objects, and list the bucket contents. The ${bucket}
keyword is a
placeholder that the system automatically replaces with the bucket name.
{
"Version": "2012-10-17",
"Id": "PolicyContent1",
"Statement": [
{
"Effect": "Allow",
"Principal": "arn:primary:default:group:group1",
"Action": ["s3:GetObject", "s3:PutObject", "s3:DeleteObject"],
"Resource": "arn:aws:s3:::${bucket}/*"
},
{
"Effect": "Allow",
"Principal": "arn:primary:default:group:group1",
"Action": ["s3:ListBucket"],
"Resource": "arn:aws:s3:::${bucket}"
}
]
}
The following policy allows all users in group1 to get, put, and delete objects, and list the bucket contents while also denying user1 and user2 in qagroup1 permission to perform get, put, and delete operations.
{
"Version": "2012-10-17",
"Id": "PolicyContent1",
"Statement": [
{
"Effect": "Allow",
"Principal": "arn:primary:default:group:group1",
"Action": ["s3:GetObject", "s3:PutObject", "s3:DeleteObject"],
"Resource": "arn:aws:s3:::${bucket}/*"
},
{
"Effect": "Deny",
"Principal": {
"AWS": [
"arn:primary:default:user:user1",
"arn:primary:default:user:user2"
]
},
"Action": ["s3:GetObject", "s3:PutObject", "s3:DeleteObject"],
"Resource": "arn:aws:s3:::${bucket}/*"
},
{
"Effect": "Allow",
"Principal": "arn:primary:default:group:group1",
"Action": ["s3:ListBucket"],
"Resource": "arn:aws:s3:::${bucket}"
}
]
}
The following policy allows user1 to perform all the specified operations:
{
"ID": "PolicyContent1",
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": "arn:primary:default:user:user1",
"Action": [
"s3:GetObjectRetention",
"s3:GetObjectTagging",
"s3:DeleteObjectTagging",
"s3:DeleteObjectVersionTagging",
"s3:GetObject",
"s3:GetObjectLegalHold",
"s3:PutObject",
"s3:PutObjectLegalHold",
"s3:PutObjectRetention",
"s3:PutObjectTagging",
"s3:DeleteObject"
],
"Resource": "arn:aws:s3:::${bucket}/*"
},
{
"Effect": "Allow",
"Principal": "arn:primary:default:user:user1",
"Action": [
"s3:DeleteBucket",
"s3:DeleteBucketPolicy",
"s3:GetBucketPolicy",
"s3:GetBucketTagging",
"s3:ListBucket",
"s3:PutBucketPolicy",
"s3:PutBucketTagging" ],
"Resource": "arn:aws:s3:::${bucket}"
}
]
}