| « PreviousNext » | |
   | Did this page help you? Yes | No | Tell us about it... |
Example Cases for Amazon S3 Bucket Policies
This section gives a few examples of typical use cases for bucket policies.
Note
You can use the AWS Policy Generator tool to create a bucket policy for your Amazon S3 bucket. You can then use the generated document to set your bucket policy using the Amazon S3 console, a number of third party tools or via your application. To use the policy generation tool, go to AWS Policy Generator.
Granting Permissions to Multiple Accounts with Added Restrictions
The following example policy grants PutObject, and PutObjectAcl permissions to multiple accounts and requires that the public-read canned acl is included.
{
"Version":"2008-10-17",
"Statement":[{
"Sid":"AddCannedAcl",
"Effect":"Allow",
"Principal": {
"AWS": ["arn:aws:iam::111122223333:root","arn:aws:iam::444455556666:root"]
},
"Action":["s3:PutObject","s3:PutObjectAcl"
],
"Resource":["arn:aws:s3:::bucket/*"
],
"Condition":{
"StringEquals":{
"s3:x-amz-acl":["public-read"]
}
}
}
]
}Granting Permission to an Anonymous User
The following example policy grants permissions to anonymous users.
{
"Version":"2008-10-17",
"Statement":[{
"Sid":"AddPerm",
"Effect":"Allow",
"Principal": {
"AWS": "*"
},
"Action":["s3:GetObject"],
"Resource":["arn:aws:s3:::bucket/*"
]
}
]
}Restricting Access to Specific IP Addresses
This statement grants permissions to any user to perform any S3 action on objects in the specified bucket. However, the request must originate from the range of IP addresses specified in the condition. The condition in this statement identifies 192.168.143.* range of allowed IP addresses with one exception, 192.168.143.188.
Note that the IPAddress and NotIpAddress values specified in the
condition uses CIDR notation described in RFC 2632. For more information, go to
http://www.rfc-editor.org/rfc/rfc4632.txt.
{
"Version": "2008-10-17",
"Id": "S3PolicyId1",
"Statement": [
{
"Sid": "IPAllow",
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": "s3:*",
"Resource": "arn:aws:s3:::bucket/*",
"Condition" : {
"IpAddress" : {
"aws:SourceIp": "192.168.143.0/24"
},
"NotIpAddress" : {
"aws:SourceIp": "192.168.143.188/32"
}
}
}
]
}Restricting Access to Specific HTTP Referer
Suppose you have a website with domain name (www.example.com or
example.com) with links to photos and videos stored in your
Amazon S3 bucket, examplebucket. By default, all the Amazon S3
resources are private. Only the AWS account that created the resources can
access them. To allow read access to these objects from your website you can
add a bucket policy that allows s3:GetObject action with a
condition, using the aws:referer key, that the get request must
originate from specific webpages.
The following bucket policy allows s3:GetObject action on all
objects in the examplebucket bucket if request originated from the
specified referer.
{
"Version":"2008-10-17",
"Id":"http referer policy example",
"Statement":[
{
"Sid":"Allow get requests originated from www.example.com and example.com",
"Effect":"Allow",
"Principal":"*",
"Action":"s3:GetObject",
"Resource":"arn:aws:s3:::examplebucket/*",
"Condition":{
"StringLike":{
"aws:Referer":[
"http://www.example.com/*",
"http://example.com/*"
]
}
}
}
]
}You can further secure access to objects in the examplebucket bucket by
adding explicit deny to the bucket policy as shown in the following bucket
policy. Explicit deny supersedes any permission you might grant to objects in
the examplebucket bucket using other means such as ACLs or user
policies.
"Version": "2008-10-17",
"Id": "http referer policy example",
"Statement": [
{
"Sid": "Allow get requests referred by www.mysite.com and mysite.com",
"Effect": "Allow",
"Principal": "*",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::examplebucket/*",
"Condition": {
"StringLike": {
"aws:Referer": [
"http://www.example.com/*",
"http://example.com/*"
]
}
}
},
{
"Sid": "Explicit deny to ensure requests are allowed only from specific referer.",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:*",
"Resource": "arn:aws:s3:::examplebucket/*",
"Condition": {
"StringNotLike": {
"aws:Referer": [
"http://www.example.com/*",
"http://example.com/*"
]
}
}
}
]
}
You must make sure the browsers you use include the http referer header in the request.
Granting Permissions to Enable Log Delivery to an S3 Bucket
The following example policy enables log delivery to your Amazon S3 bucket. The account specified in the following policy is the Log Delivery group. You must use the ARN specified in this policy because it identifies the Log Delivery group. For more information, see Setting Up Server Access Logging.
{
"Version":"2008-10-17",
"Id":"LogPolicy",
"Statement":[{
"Sid":"Enables the log delivery group to publish logs to your bucket ",
"Effect":"Allow",
"Principal":{
"AWS":"arn:aws:iam::111122223333:root"
},
"Action":["s3:GetBucketAcl",
"s3:GetObjectAcl",
"s3:PutObject"
],
"Resource":["arn:aws:s3:::example-bucket",
"arn:aws:s3:::example-bucket/*"
]
}
]
}
Granting Permission, Using Canonical ID, to a CloudFront Origin Identify
The following example bucket policy grants a CloudFront Origin Identity permission to GET all objects in your Amazon S3 bucket. The CloudFront Origin Identity is used to enable CloudFront's private content feature. The policy uses the CanonicalUser prefix, instead of AWS, to specify a Canonical User ID. To learn more about CloudFront's support for serving private content, go to the Serving Private Content topic in the Amazon CloudFront Developer Guide. You must specify the Canonical User ID for your CloudFront distribution's origin access identity.
{
"Version":"2008-10-17",
"Id":"PolicyForCloudFrontPrivateContent",
"Statement":[{
"Sid":" Grant a CloudFront Origin Identity access to support private content",
"Effect":"Allow",
"Principal":{
"CanonicalUser":"79a59df900b949e55d96a1e698fbacedfd6e09d98eacf8f8d5218e7cd47ef2be"
},
"Action":"s3:GetObject",
"Resource":"arn:aws:s3:::example-bucket/*"
}
]
}
Adding Bucket Policy to Require MFA Authentication
Amazon S3 supports MFA-protected API access, a feature that can enforce AWS Multi-Factor Authentication for access to your S3 resources. AWS Multi-Factor Authentication provides an extra level of security you can apply to your AWS environment. It is a security feature that requires users to prove physical possession of a MFA device by providing a valid MFA code. For more information, go to AWS Multi-Factor Authentication. You can require MFA authentication for any requests to access your Amazon S3 resources.
You can enforce the MFA authentication requirement using the
aws:MultiFactorAuthAge key in a bucket policy. IAM users can
access S3 resources by using temporary credentials issued by the AWS Security
Token Service (STS). You provide the MFA code at the time of the STS request.
When Amazon S3 receives a request with MFA authentication, the
aws:MultiFactorAuthAge key provides a numeric value indicating
how long ago (in seconds) the temporary credential was created. If the temporary
credential provided in the request were not created using an MFA device, this
key value is null (absent). In a bucket policy you can add a condition to check
this value as shown in the following example bucket policy. The policy denies
any Amazon S3 action on the /taxdocuments folder in the
examplebucket bucket if the request is not MFA authenticated.
To learn more about MFA authentication, go to Configuring MFA-Protected API Access.
{
"Version": "2008-10-17",
"Id": "123",
"Statement": [
{
"Sid": "",
"Effect": "Deny",
"Principal": { "AWS": "*" },
"Action": "s3:**",
"Resource": "arn:aws:s3:::examplebucket/taxdocuments/*",
"Condition": { "Null": { "aws:MultiFactorAuthAge": true }}
}
]
}
The Null condition in the Condition block evaluates to true if
the aws:MultiFactorAuthAge key value is null indicating that the
temporary security credentials in the request were created without the MFA key.
The following bucket policy is an extension of the preceding bucket policy. It includes
two policy statements. One statement allows the s3:GetObject action
on a bucket (examplebucket) to everyone and another statement
further restricts access to the examplebucket/taxdocuments folder
in the bucket by requiring MFA authentication.
{
"Version": "2008-10-17",
"Id": "123",
"Statement": [
{
"Sid": "",
"Effect": "Deny",
"Principal": { "AWS": "*"},
"Action": "s3:**",
"Resource": "arn:aws:s3:::examplebucket/taxdocuments/*",
"Condition": { "Null": { "aws:MultiFactorAuthAge": true } }
},
{
"Sid": "",
"Effect": "Allow",
"Principal": {"AWS": "*" },
"Action": ["s3:GetObject"],
"Resource": "arn:aws:s3:::examplebucket/*"
}
]
}You can optionally use a numeric condition to limit the duration for which the
aws:MultiFactorAuthAge key is valid, independent of the
lifetime of the temporary security credential used in authenticating the
request. For example, the following bucket policy, in addition to requiring MFA
authentication, also checks how long ago the temporary session was created. The
policy denies any action if the aws:MultiFactorAuthAge key value
indicates that the temporary session was created more than an hour ago (3,600
seconds).
{
"Version": "2008-10-17",
"Id": "123",
"Statement": [
{
"Sid": "",
"Effect": "Deny",
"Principal": { "AWS": "*" },
"Action": "s3:**",
"Resource": "arn:aws:s3:::examplebucket/taxdocuments/*",
"Condition": {"Null": {"aws:MultiFactorAuthAge": true }
}
},
{
"Sid": "",
"Effect": "Deny",
"Principal": { "AWS": "*"},
"Action": "s3:**",
"Resource": "arn:aws:s3:::examplebucket/taxdocuments/*",
"Condition": {"NumericGreaterThan": {"aws:MultiFactorAuthAge": 3600 } }
},
{
"Sid": "",
"Effect": "Allow",
"Principal": {"AWS": "*"},
"Action": ["s3:GetObject"],
"Resource": "arn:aws:s3:::examplebucket/*"
}
]
}
Granting Cross-Account Permissions to Upload Objects While Ensuring the Bucket Owner Has Full Control
You can allow other AWS accounts to upload objects to your bucket. However, you may decide that as a bucket owner you must have full control of the objects uploaded to your bucket. The following policy enforces that a specific AWS account (111111111111) be denied the ability to upload objects unless that account grants access to the bucket owner identified by the email address (xyz@amazon.com) full control.
The policy requires the PutObject request to include the
x-amz-grant-full-control request header. For more information,
go to PUT Object.
{
"Version":"2008-10-17",
"Statement":[
{
"Sid":"111",
"Effect":"Allow",
"Principal":{
"AWS":"1111111111"
},
"Action":"s3:PutObject",
"Resource":"arn:aws:s3:::examplebucket/*"
},
{
"Sid":"112",
"Effect":"Deny",
"Principal":{
"AWS":"1111111111"
},
"Action":"s3:PutObject",
"Resource":"arn:aws:s3:::examplebucket/*",
"Condition":{
"StringNotEquals":{
"s3:x-amz-grant-full-control":[
"emailAddress=xyz@amazon.com"
]
}
}
}
]
}
