This guide is no longer being updated. For current information and instructions, see the new Amazon S3 User Guide.
Bucket Policy Examples
This section presents a few examples of typical use cases for bucket policies. The
policies
use bucket and examplebucket strings in
the resource value. To test these policies, replace these strings with your bucket
name. For
information about access policy language, see Policies and Permissions in
Amazon S3.
Bucket policies are limited to 20 KB in size.
You can use the AWS Policy
Generator
When testing permissions using the Amazon S3 console, you will need to grant additional
permissions that the console requires—s3:ListAllMyBuckets,
s3:GetBucketLocation, and s3:ListBucket permissions. For an
example walkthrough that grants permissions to users and tests them using the console,
see
Walkthrough: Controlling access to a bucket with user
policies.
Topics
- Granting Permissions to Multiple Accounts with Added Conditions
- Granting Read-Only Permission to an Anonymous User
- Limiting Access to Specific IP Addresses
- Restricting Access to a Specific HTTP Referer
- Granting Permission to an Amazon CloudFront OAI
- Adding a Bucket Policy to Require MFA
- Granting Cross-Account Permissions to Upload Objects While Ensuring the Bucket Owner Has Full Control
- Granting Permissions for Amazon S3 Inventory and Amazon S3 Analytics
- Granting Permissions for Amazon S3 Storage Lens
- Example Bucket Policies for VPC Endpoints for Amazon S3
Granting Permissions to Multiple Accounts with Added Conditions
The following example policy grants the s3:PutObject and
s3:PutObjectAcl permissions to multiple AWS accounts and requires that any
request for these operations include the public-read canned access control list
(ACL). For more information, see Amazon S3 Actions and Amazon S3 Condition Keys.
{ "Version":"2012-10-17", "Statement":[ { "Sid":"AddCannedAcl", "Effect":"Allow", "Principal": {"AWS": ["arn:aws:iam::111122223333:root","arn:aws:iam::444455556666:root"]}, "Action":["s3:PutObject","s3:PutObjectAcl"], "Resource":"arn:aws:s3:::DOC-EXAMPLE-BUCKET/*", "Condition":{"StringEquals":{"s3:x-amz-acl":["public-read"]}} } ] }
Granting Read-Only Permission to an Anonymous User
The following example policy grants the s3:GetObject permission to any public
anonymous users. (For a list of permissions and the operations that they allow, see
Amazon S3 Actions.) This permission
allows anyone to read the object data, which is useful for when you configure your
bucket as a
website and want everyone to be able to read objects in the bucket. Before you use
a bucket
policy to grant read-only permission to an anonymous user, you must disable block
public
access settings for your bucket. For more information, see Setting permissions for website access.
Use caution when granting anonymous access to your Amazon S3 bucket or disabling block public access settings. When you grant anonymous access, anyone in the world can access your bucket. We recommend that you never grant anonymous access to your Amazon S3 bucket unless you specifically need to, such as with static website hosting.
{ "Version":"2012-10-17", "Statement":[ { "Sid":"PublicRead", "Effect":"Allow", "Principal": "*", "Action":["s3:GetObject","s3:GetObjectVersion"], "Resource":["arn:aws:s3:::DOC-EXAMPLE-BUCKET/*"] } ] }
Limiting Access to Specific IP Addresses
The following example denies permissions to any user to perform any Amazon S3 operations on objects in the specified S3 bucket unless the request originates from the range of IP addresses specified in the condition.
This statement identifies the 54.240.143.0/24 as the range of allowed Internet Protocol version 4 (IPv4) IP addresses.
The Condition block uses the NotIpAddress condition and the
aws:SourceIp condition key, which is an AWS-wide condition key. For more
information about these condition keys, see Amazon S3 Condition Keys. The aws:SourceIp IPv4 values use the
standard CIDR notation. For more information, see IAM JSON Policy
Elements Reference in the IAM User Guide.
Replace the IP address range in this example with an appropriate value for your use case before using this policy. Otherwise, you will lose the ability to access your bucket.
{ "Version": "2012-10-17", "Id": "S3PolicyId1", "Statement": [ { "Sid": "IPAllow", "Effect": "Deny", "Principal": "*", "Action": "s3:*", "Resource": [ "arn:aws:s3:::DOC-EXAMPLE-BUCKET", "arn:aws:s3:::DOC-EXAMPLE-BUCKET/*" ], "Condition": { "NotIpAddress": {"aws:SourceIp": "54.240.143.0/24"} } } ] }
Allowing IPv4 and IPv6 Addresses
When you start using IPv6 addresses, we recommend that you update all of your organization's policies with your IPv6 address ranges in addition to your existing IPv4 ranges to ensure that the policies continue to work as you make the transition to IPv6.
The following example bucket policy shows how to mix IPv4 and IPv6 address ranges
to cover all of your organization's valid IP addresses. The example policy would allow
access to the example IP addresses 54.240.143.1 and
2001:DB8:1234:5678::1 and would deny access to the addresses
54.240.143.129 and 2001:DB8:1234:5678:ABCD::1.
The IPv6 values for aws:SourceIp must be in standard CIDR format. For
IPv6, we support using :: to represent a range of 0s (for example,
2032001:DB8:1234:5678::/64). For more information, see IP Address Condition Operators in the
IAM User Guide.
Replace the IP address ranges in this example with appropriate values for your use case before using this policy. Otherwise, you might lose the ability to access your bucket.
{ "Id":"PolicyId2", "Version":"2012-10-17", "Statement":[ { "Sid":"AllowIPmix", "Effect":"Allow", "Principal":"*", "Action":"s3:*", "Resource": [ "arn:aws:s3:::DOC-EXAMPLE-BUCKET", "arn:aws:s3:::DOC-EXAMPLE-BUCKET/*" ], "Condition": { "IpAddress": { "aws:SourceIp": [ "54.240.143.0/24", "2001:DB8:1234:5678::/64" ] }, "NotIpAddress": { "aws:SourceIp": [ "54.240.143.128/30", "2001:DB8:1234:5678:ABCD::/80" ] } } } ] }
Restricting Access to a Specific HTTP Referer
Suppose that you have a website with a domain name (www.example.com or
example.com) with links to photos and videos stored in your Amazon S3 bucket,
DOC-EXAMPLE-BUCKETs3:GetObject permission
with a condition, using the aws:Referer key, that the get request must originate
from specific webpages. The following policy specifies the StringLike condition
with the aws:Referer condition key.
{ "Version":"2012-10-17", "Id":"http referer policy example", "Statement":[ { "Sid":"Allow get requests originating from www.example.com and example.com.", "Effect":"Allow", "Principal":"*", "Action":["s3:GetObject","s3:GetObjectVersion"], "Resource":"arn:aws:s3:::DOC-EXAMPLE-BUCKET/*", "Condition":{ "StringLike":{"aws:Referer":["http://www.example.com/*","http://example.com/*"]} } } ] }
Make sure the browsers you use include the HTTP referer header in the
request.
Granting Permission to an Amazon CloudFront OAI
The following example bucket policy grants a CloudFront origin access identity (OAI) permission to get (read) all objects in your Amazon S3 bucket. You can use a CloudFront OAI to allow users to access objects in your bucket through CloudFront but not directly through Amazon S3. For more information, see Restricting Access to Amazon S3 Content by Using an Origin Access Identity in the Amazon CloudFront Developer Guide.
The following policy uses the OAI’s ID as the policy’s Principal. For more
information about using S3 bucket policies to grant access to a CloudFront OAI, see
Using Amazon S3 Bucket Policies in the Amazon CloudFront Developer Guide.
To use this example:
-
Replace
EH1HDMB1FH2TCwith the OAI’s ID. To find the OAI’s ID, see the Origin Access Identity pageon the CloudFront console, or use ListCloudFrontOriginAccessIdentities in the CloudFront API. -
Replace
DOC-EXAMPLE-BUCKETwith the name of your Amazon S3 bucket.
{ "Version": "2012-10-17", "Id": "PolicyForCloudFrontPrivateContent", "Statement": [ { "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::cloudfront:user/CloudFront Origin Access IdentityEH1HDMB1FH2TC" }, "Action": "s3:GetObject", "Resource": "arn:aws:s3:::DOC-EXAMPLE-BUCKET/*" } ] }
Adding a Bucket Policy to Require MFA
Amazon S3 supports MFA-protected API access, a feature that can enforce multi-factor
authentication (MFA) for access to your Amazon S3 resources. Multi-factor authentication
provides
an extra level of security that you can apply to your AWS environment. It is a security
feature that requires users to prove physical possession of an MFA device by providing
a valid
MFA code. For more information, see AWS Multi-Factor
Authentication
You can enforce the MFA requirement using the aws:MultiFactorAuthAge key in a
bucket policy. AWS Identity and Access Management (IAM) users can access Amazon S3
resources by using temporary
credentials issued by the AWS Security Token Service (AWS STS). You provide the MFA
code at the time of the
AWS STS request.
When Amazon S3 receives a request with multi-factor authentication, the
aws:MultiFactorAuthAge key provides a numeric value indicating how long ago (in
seconds) the temporary credential was created. If the temporary credential provided
in the
request was not created using an MFA device, this key value is null (absent). In a
bucket
policy, you can add a condition to check this value, as shown in the following example
bucket
policy. The policy denies any Amazon S3 operation on the /taxdocuments folder in the
DOC-EXAMPLE-BUCKET
{ "Version": "2012-10-17", "Id": "123", "Statement": [ { "Sid": "", "Effect": "Deny", "Principal": "*", "Action": "s3:*", "Resource": "arn:aws:s3:::DOC-EXAMPLE-BUCKET/taxdocuments/*", "Condition": { "Null": { "aws:MultiFactorAuthAge": true }} } ] }
The Null condition in the Condition block evaluates to true if
the aws:MultiFactorAuthAge key value is null, indicating that the temporary
security credentials in the request were created without the MFA key.
The following bucket policy is an extension of the preceding bucket policy. It includes
two policy statements. One statement allows the s3:GetObject permission on a
bucket (DOC-EXAMPLE-BUCKETDOC-EXAMPLE-BUCKET/taxdocuments
{ "Version": "2012-10-17", "Id": "123", "Statement": [ { "Sid": "", "Effect": "Deny", "Principal": "*", "Action": "s3:*", "Resource": "arn:aws:s3:::DOC-EXAMPLE-BUCKET/taxdocuments/*", "Condition": { "Null": { "aws:MultiFactorAuthAge": true } } }, { "Sid": "", "Effect": "Allow", "Principal": "*", "Action": ["s3:GetObject"], "Resource": "arn:aws:s3:::DOC-EXAMPLE-BUCKET/*" } ] }
You can optionally use a numeric condition to limit the duration for which the
aws:MultiFactorAuthAge key is valid, independent of the lifetime of the
temporary security credential used in authenticating the request. For example, the
following
bucket policy, in addition to requiring MFA authentication, also checks how long ago
the
temporary session was created. The policy denies any operation if the
aws:MultiFactorAuthAge key value indicates that the temporary session was
created more than an hour ago (3,600 seconds).
{ "Version": "2012-10-17", "Id": "123", "Statement": [ { "Sid": "", "Effect": "Deny", "Principal": "*", "Action": "s3:*", "Resource": "arn:aws:s3:::DOC-EXAMPLE-BUCKET/taxdocuments/*", "Condition": {"Null": {"aws:MultiFactorAuthAge": true }} }, { "Sid": "", "Effect": "Deny", "Principal": "*", "Action": "s3:*", "Resource": "arn:aws:s3:::DOC-EXAMPLE-BUCKET/taxdocuments/*", "Condition": {"NumericGreaterThan": {"aws:MultiFactorAuthAge": 3600 }} }, { "Sid": "", "Effect": "Allow", "Principal": "*", "Action": ["s3:GetObject"], "Resource": "arn:aws:s3:::DOC-EXAMPLE-BUCKET/*" } ] }
Granting Cross-Account Permissions to Upload Objects While Ensuring the Bucket Owner Has Full Control
The following example shows how to allow another AWS account to upload objects to
your
bucket while taking full control of the uploaded objects. This policy enforces that
a specific
AWS account (123456789012) be granted the ability to upload objects only if that
account includes the bucket-owner-full-control canned ACL on upload. The StringEquals
condition in the policy specifies the s3:x-amz-acl condition key to express the requirement
(see Amazon S3 Condition Keys).
{ "Version":"2012-10-17", "Statement":[ { "Sid":"PolicyForAllowUploadWithACL", "Effect":"Allow", "Principal":{"AWS":"123456789012"}, "Action":"s3:PutObject", "Resource":"arn:aws:s3:::DOC-EXAMPLE-BUCKET/*", "Condition": { "StringEquals": {"s3:x-amz-acl":"bucket-owner-full-control"} } } ] }
Granting Permissions for Amazon S3 Inventory and Amazon S3 Analytics
Amazon S3 inventory creates lists of the objects in an Amazon S3 bucket, and Amazon S3 analytics export creates output files of the data used in the analysis. The bucket that the inventory lists the objects for is called the source bucket. The bucket where the inventory file is written and the bucket where the analytics export file is written is called a destination bucket. You must create a bucket policy for the destination bucket when setting up inventory for an Amazon S3 bucket and when setting up the analytics export. For more information, see Amazon S3 inventory and Amazon S3 analytics – Storage Class Analysis.
The following example bucket policy grants Amazon S3 permission to write objects (PUTs) from the account for the source bucket to the destination bucket. You use a bucket policy like this on the destination bucket when setting up Amazon S3 inventory and Amazon S3 analytics export.
{ "Version":"2012-10-17", "Statement":[ { "Sid":"InventoryAndAnalyticsExamplePolicy", "Effect":"Allow", "Principal": {"Service": "s3.amazonaws.com"}, "Action":"s3:PutObject", "Resource":["arn:aws:s3:::destinationbucket/*"], "Condition": { "ArnLike": { "aws:SourceArn": "arn:aws:s3:::sourcebucket" }, "StringEquals": { "aws:SourceAccount": "123456789012", "s3:x-amz-acl": "bucket-owner-full-control" } } } ] }
Granting Permissions for Amazon S3 Storage Lens
Amazon S3 Storage Lens aggregates your usage and activity metrics and displays the information in an interactive dashboard on the Amazon S3 console or through a metrics data export that can be downloaded in CSV or Parquet format. You can use the dashboard to visualize insights and trends, flag outliers, and provides recommendations for optimizing storage costs and applying data protection best practices. You can use S3 Storage Lens through the AWS Management Console, AWS CLI, AWS SDKs, or REST API.
S3 Storage Lens can aggregate your storage usage to metrics exports in an Amazon S3 bucket for further analysis. The bucket that S3 Storage Lens places its metrics exports is known as the destination bucket. You must have a bucket policy for the destination bucket when when setting up your S3 Storage Lens metrics export. For more information, see Amazon S3 Storage Lens.
The following example bucket policy grants Amazon S3 permission to write objects (PUTs) to a destination bucket. You use a bucket policy like this on the destination bucket when setting up an S3 Storage Lens metrics export.
{ "Version": "2012-10-17", "Statement": [ { "Sid": "S3StorageLensExamplePolicy", "Effect": "Allow", "Principal": { "Service": [ "storage-lens.s3.amazonaws.com" ] }, "Action": "s3:PutObject", "Resource": "arn:aws:s3:::destination-bucket/destination-prefix/StorageLens/111122223333/*", "Condition": { "StringEquals": { "s3:x-amz-acl": "bucket-owner-full-control" }, "StringEquals": { "aws:SourceAccount": "111122223333" }, "StringEquals": { "aws:SourceArn": "arn:aws:s3:your-region:111122223333:storage-lens/your-dashboard-configuration-id" } } } ] }
The following modification to the previous bucket policy "Action": "s3:PutObject" resource
when setting up an S3 Storage Lens organization-level metrics export.
{ "Action": "s3:PutObject", "Resource": "arn:aws:s3:::destination-bucket/destination-prefix/StorageLens/your-organization-id/*",
