Amazon Simple Storage Service
Developer Guide (API Version 2006-03-01)
Did this page help you?  Yes | No |  Tell us about it...
« PreviousNext »
View the PDF for this guide.Go to the AWS Discussion Forum for this product.Go to the Kindle Store to download this guide in Kindle format.

Bucket Policy Examples

This section presents a few examples of typical use cases for bucket policies. The policies use "bucket" and "examplebucket" strings in the resource value. To test these policies, you need to replace these strings with your bucket name. For information about access policy language, see Access Policy Language Overview.

You can use the AWS Policy Generator to create a bucket policy for your Amazon S3 bucket. You can then use the generated document to set your bucket policy by using the Amazon S3 console, by a number of third-party tools, or via your application.

Note

When testing permissions using the Amazon S3 console, you will need to grant additional permissions—s3:ListAllMyBuckets, s3:GetBucketLocation, and s3:ListBucket permissions. These are the additional permissions the console requires. For an example walkthrough that grants permissions to users and tests them using the console, see An Example Walkthrough: Using user policies to control access to your bucket.

Granting Permissions to Multiple Accounts with Added Conditions

The following example policy grants the s3:PutObject and s3:PutObjectAcl permissions to multiple AWS accounts and requires that any request for these operations include the public-read canned ACL. For more information, see Specifying Permissions in a Policy and Specifying Conditions in a Policy.

{
  "Version":"2012-10-17",
  "Statement":[{
	"Sid":"AddCannedAcl",
        "Effect":"Allow",
	  "Principal": {
            "AWS": ["arn:aws:iam::111122223333:root","arn:aws:iam::444455556666:root"]
         },
	  "Action":["s3:PutObject","s3:PutObjectAcl"
      ],
      "Resource":["arn:aws:s3:::examplebucket/*"
      ],
      "Condition":{
        "StringEquals":{
          "s3:x-amz-acl":["public-read"]
        }
      }
    }
  ]
}

Granting Read-Only Permission to an Anonymous User

The following example policy grants the s3:GetObject permission to any public anonymous users. (For a list of permissions and operations they allow, see Specifying Permissions in a Policy.) This permission allows anyone to read the object data, which is useful for when you configure your bucket as a website and want everyone to be able to read objects in the bucket.

{
  "Version":"2012-10-17",
  "Statement":[{
	"Sid":"AddPerm",
        "Effect":"Allow",
	  "Principal": "*",
      "Action":["s3:GetObject"],
      "Resource":["arn:aws:s3:::examplebucket/*"
      ]
    }
  ]
}

Restricting Access to Specific IP Addresses

The following example grants permissions to any user to perform any Amazon S3 operations on objects in the specified bucket. However, the request must originate from the range of IP addresses specified in the condition.

The condition in this statement identifies the 54.240.143.* range of allowed IP addresses, with one exception: 54.240.143.188.

The Condition block uses the IpAddress and NotIpAddress conditions and the aws:SourceIp condition key, which is an AWS-wide condition key. For more information, see Specifying Conditions in a Policy. Also note that the aws:sourceIp values use the CIDR notation described in RFC 2632. For more information, go to http://www.rfc-editor.org/rfc/rfc4632.txt.

{
    "Version": "2012-10-17",
    "Id": "S3PolicyId1",
    "Statement": [
        {
            "Sid": "IPAllow",
            "Effect": "Allow",
            "Principal": "*",
            "Action": "s3:*",
            "Resource": "arn:aws:s3:::examplebucket/*",
            "Condition" : {
                "IpAddress" : {
                    "aws:SourceIp": "54.240.143.0/24" 
                },
                "NotIpAddress" : {
                    "aws:SourceIp": "54.240.143.188/32" 
                } 
            } 
        } 
    ]
}

Restricting Access to a Specific HTTP Referrer

Suppose you have a website with domain name (www.example.com or example.com) with links to photos and videos stored in your Amazon S3 bucket, examplebucket. By default, all the Amazon S3 resources are private, so only the AWS account that created the resources can access them. To allow read access to these objects from your website, you can add a bucket policy that allows s3:GetObject permission with a condition, using the aws:referer key, that the get request must originate from specific webpages. The following policy specifies the StringLike condition with the aws:Referer condition key.

{
  "Version":"2012-10-17",
  "Id":"http referer policy example",
  "Statement":[
    {
      "Sid":"Allow get requests originated from www.example.com and example.com",
      "Effect":"Allow",
      "Principal":"*",
      "Action":"s3:GetObject",
      "Resource":"arn:aws:s3:::examplebucket/*",
      "Condition":{
        "StringLike":{
          "aws:Referer":[
            "http://www.example.com/*",
            "http://example.com/*"
          ]
        }
      }
    }
  ]
}

Make sure the browsers you use include the http referer header in the request.

You can further secure access to objects in the examplebucket bucket by adding explicit deny to the bucket policy as shown in the following example. Explicit deny supersedes any permission you might grant to objects in the examplebucket bucket using other means such as ACLs or user policies.

{
   "Version": "2012-10-17",
   "Id": "http referer policy example",
   "Statement": [
      {
         "Sid": "Allow get requests referred by www.mysite.com and mysite.com",
         "Effect": "Allow",
         "Principal": "*",
         "Action": "s3:GetObject",
         "Resource": "arn:aws:s3:::examplebucket/*",
         "Condition": {
            "StringLike": {
               "aws:Referer": [
                  "http://www.example.com/*",
                  "http://example.com/*"
               ]
            }
         }
      },
      {
         "Sid": "Explicit deny to ensure requests are allowed only from specific referer.",
         "Effect": "Deny",
         "Principal": "*",
         "Action": "s3:*",
         "Resource": "arn:aws:s3:::examplebucket/*",
         "Condition": {
            "StringNotLike": {
               "aws:Referer": [
                  "http://www.example.com/*",
                  "http://example.com/*"
               ]
            }
         }
      }
   ]
}

Granting Permission to an Amazon CloudFront Origin Identity

The following example bucket policy grants a CloudFront Origin Identity permission to get (list) all objects in your Amazon S3 bucket. The CloudFront Origin Identity is used to enable CloudFront's private content feature. The policy uses the CanonicalUser prefix, instead of AWS, to specify a Canonical User ID. To learn more about CloudFront's support for serving private content, go to the Serving Private Content topic in the Amazon CloudFront Developer Guide. You must specify the canonical user ID for your CloudFront distribution's origin access identity. For instructions about finding the canonical user ID, see Specifying a Principal in a Policy.

{
	"Version":"2012-10-17",
	"Id":"PolicyForCloudFrontPrivateContent",
	"Statement":[{
			"Sid":" Grant a CloudFront Origin Identity access to support private content",
			"Effect":"Allow",
			"Principal":{
			"CanonicalUser":"79a59df900b949e55d96a1e698fbacedfd6e09d98eacf8f8d5218e7cd47ef2be"
			},
			"Action":"s3:GetObject",
			"Resource":"arn:aws:s3:::example-bucket/*"
		}
	]
}

Adding a Bucket Policy to Require MFA Authentication

Amazon S3 supports MFA-protected API access, a feature that can enforce multi-factor authentication for access to your Amazon S3 resources. Multi-factor authentication provides an extra level of security you can apply to your AWS environment. It is a security feature that requires users to prove physical possession of an MFA device by providing a valid MFA code. For more information, go to AWS Multi-Factor Authentication. You can require MFA authentication for any requests to access your Amazon S3 resources.

You can enforce the MFA authentication requirement using the aws:MultiFactorAuthAge key in a bucket policy. IAM users can access Amazon S3 resources by using temporary credentials issued by the AWS Security Token Service (STS). You provide the MFA code at the time of the STS request.

When Amazon S3 receives a request with MFA authentication, the aws:MultiFactorAuthAge key provides a numeric value indicating how long ago (in seconds) the temporary credential was created. If the temporary credential provided in the request was not created using an MFA device, this key value is null (absent). In a bucket policy, you can add a condition to check this value, as shown in the following example bucket policy. The policy denies any Amazon S3 operation on the /taxdocuments folder in the examplebucket bucket if the request is not MFA authenticated. To learn more about MFA authentication, go to Using Multi-Factor Authentication (MFA) Devices with AWS.

{
   "Version": "2012-10-17",
   "Id": "123",
   "Statement": [
      {
         "Sid": "",
         "Effect": "Deny",
         "Principal": "*",
         "Action": "s3:**",
         "Resource": "arn:aws:s3:::examplebucket/taxdocuments/*",
         "Condition": { "Null": { "aws:MultiFactorAuthAge": true }}
      }
   ]
}

The Null condition in the Condition block evaluates to true if the aws:MultiFactorAuthAge key value is null, indicating that the temporary security credentials in the request were created without the MFA key.

The following bucket policy is an extension of the preceding bucket policy. It includes two policy statements. One statement allows the s3:GetObject permission on a bucket (examplebucket) to everyone and another statement further restricts access to the examplebucket/taxdocuments folder in the bucket by requiring MFA authentication.

{
   "Version": "2012-10-17",
   "Id": "123",
   "Statement": [
      {
         "Sid": "",
         "Effect": "Deny",
         "Principal": "*",
         "Action": "s3:*",
         "Resource": "arn:aws:s3:::examplebucket/taxdocuments/*",
         "Condition": { "Null": { "aws:MultiFactorAuthAge": true } }
      },
      {
         "Sid": "",
         "Effect": "Allow",
         "Principal": "*",
         "Action": ["s3:GetObject"],
         "Resource": "arn:aws:s3:::examplebucket/*"
      }
   ]
}

You can optionally use a numeric condition to limit the duration for which the aws:MultiFactorAuthAge key is valid, independent of the lifetime of the temporary security credential used in authenticating the request. For example, the following bucket policy, in addition to requiring MFA authentication, also checks how long ago the temporary session was created. The policy denies any operation if the aws:MultiFactorAuthAge key value indicates that the temporary session was created more than an hour ago (3,600 seconds).

{
   "Version": "2012-10-17",
   "Id": "123",
   "Statement": [
      {
         "Sid": "",
         "Effect": "Deny",
         "Principal": "*",
         "Action": "s3:*",
         "Resource": "arn:aws:s3:::examplebucket/taxdocuments/*",
         "Condition": {"Null": {"aws:MultiFactorAuthAge": true }
         }
      },
      {
         "Sid": "",
         "Effect": "Deny",
         "Principal": "*",
         "Action": "s3:*",
         "Resource": "arn:aws:s3:::examplebucket/taxdocuments/*",
         "Condition": {"NumericGreaterThan": {"aws:MultiFactorAuthAge": 3600 } }
      },
      {
         "Sid": "",
         "Effect": "Allow",
         "Principal": "*",
         "Action": ["s3:GetObject"],
         "Resource": "arn:aws:s3:::examplebucket/*"
      }
   ]
}

Granting Cross-Account Permissions to Upload Objects While Ensuring the Bucket Owner Has Full Control

You can allow another AWS account to upload objects to your bucket. However, you may decide that as a bucket owner you must have full control of the objects uploaded to your bucket. The following policy enforces that a specific AWS account (111111111111) be denied the ability to upload objects unless that account grants full-control access to the bucket owner identified by the email address (xyz@amazon.com). The StringEquals condition in the policy specifies the s3:x-amz-grant-full-control condition key to express the requirement (see Specifying Conditions in a Policy).

{
   "Version":"2012-10-17",
   "Statement":[
      {
         "Sid":"111",
         "Effect":"Allow",
         "Principal":{
            "AWS":"1111111111"
         },
         "Action":"s3:PutObject",
         "Resource":"arn:aws:s3:::examplebucket/*"
      },
      {
         "Sid":"112",
         "Effect":"Deny",
         "Principal":{
            "AWS":"1111111111"
         },
         "Action":"s3:PutObject",
         "Resource":"arn:aws:s3:::examplebucket/*",
         "Condition":{
            "StringNotEquals":{
               "s3:x-amz-grant-full-control":[
                  "emailAddress=xyz@amazon.com"
               ]
            }
         }
      }
   ]
}