Amazon Simple Storage Service
Developer Guide (API Version 2006-03-01)

Access Policy Language Overview

The topics in this section describe the basic elements used in bucket and user policies as used in Amazon S3. For complete policy language information, see the Overview of IAM Policies and the AWS IAM Policy Reference topics in the IAM User Guide.


Bucket policies are limited to 20 KB in size.

Common Elements in an Access Policy

In its most basic sense, a policy contains the following elements:

  • Resources – Buckets and objects are the Amazon S3 resources for which you can allow or deny permissions. In a policy, you use the Amazon Resource Name (ARN) to identify the resource.

  • Actions – For each resource, Amazon S3 supports a set of operations. You identify resource operations you will allow (or deny) by using action keywords (see Specifying Permissions in a Policy).

    For example, the s3:ListBucket permission will allow the user permission to the Amazon S3 GET Bucket (List Objects) operation.

  • Effect – What the effect will be when the user requests the specific action—this can be either allow or deny.

    If you do not explicitly grant access to (allow) a resource, access is implicitly denied. You can also explicitly deny access to a resource, which you might do in order to make sure that a user cannot access it, even if a different policy grants access.

  • Principal – The account or user who is allowed access to the actions and resources in the statement. You specify a principal only in a bucket policy. It is the user, account, service, or other entity who is the recipient of this permission. In a user policy, the user to which the policy is attached is the implicit principal.

The following example bucket policy shows the preceding common policy elements. The policy allows Dave, a user in account Account-ID, s3:GetBucketLocation, s3:ListBucket and s3:GetObject Amazon S3 permissions on the examplebucket bucket.

   "Version": "2012-10-17",
   "Statement": [
         "Sid": "ExampleStatement1",
         "Effect": "Allow",
         "Principal": {
            "AWS": "arn:aws:iam::Account-ID:user/Dave"
         "Action": [
         "Resource": [

Because this is a bucket policy, it includes the Principal  element, which specifies who gets the permission.

For more information about the access policy elements, see the following topics:

The following topics provide additional policy examples: