AWS::S3::BucketPolicy
Applies an Amazon S3 bucket policy to an Amazon S3 bucket.
Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:
JSON
{ "Type" : "AWS::S3::BucketPolicy", "Properties" : { "Bucket" :String, "PolicyDocument" :Json} }
YAML
Type: AWS::S3::BucketPolicy Properties: Bucket:StringPolicyDocument:Json
Properties
Bucket-
The name of the Amazon S3 bucket to which the policy applies.
Required: Yes
Type: String
Update requires: Replacement
PolicyDocument-
A policy document containing permissions to add to the specified bucket. For more information, see Access Policy Language Overview in the Amazon Simple Storage Service Developer Guide.
Required: Yes
Type: Json
Update requires: No interruption
Examples
Bucket policy that allows GET requests from specific referers
The following sample is a bucket policy that is attached to the myExampleBucket bucket and allows GET requests that originate from www.example.com and example.com:
JSON
"SampleBucketPolicy" : { "Type" : "AWS::S3::BucketPolicy", "Properties" : { "Bucket" : {"Ref" : "myExampleBucket"}, "PolicyDocument": { "Statement":[{ "Action":["s3:GetObject"], "Effect":"Allow", "Resource": { "Fn::Join" : ["", ["arn:aws:s3:::", { "Ref" : "myExampleBucket" } , "/*" ]]}, "Principal":"*", "Condition":{ "StringLike":{ "aws:Referer":[ "http://www.example.com/*", "http://example.com/*" ] } } }] } } }
YAML
SampleBucketPolicy: Type: AWS::S3::BucketPolicy Properties: Bucket: Ref: "myExampleBucket" PolicyDocument: Statement: - Action: - "s3:GetObject" Effect: "Allow" Resource: Fn::Join: - "" - - "arn:aws:s3:::" - Ref: "myExampleBucket" - "/*" Principal: "*" Condition: StringLike: aws:Referer: - "http://www.example.com/*" - "http://example.com/*"
