Bucket Policy
A Bucket Policy is a JSON-based set of access control rules that defines who can perform what actions on which resources in a bucket. It is a more powerful security mechanism than the simple Private/Public mode.
Access the Bucket Policy
Step 1: Go to Simple Storage → Buckets, then click the name of the bucket you want to configure.
Step 2: Open the Bucket Policy tab in the bucket management section.
Step 3: The page shows a JSON editor for the policy. Click Apply templates to browse available policy templates.
Policy JSON Structure
An S3-standard Bucket Policy has the following structure:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Statement identifier (optional)",
"Effect": "Allow | Deny",
"Principal": "*",
"Action": ["s3:GetObject"],
"Resource": ["arn:aws:s3:::bucket-name/*"]
}
]
}
Key fields:
| Field | Description |
|---|---|
Version | Policy version — always use "2012-10-17" |
Statement | Array of policy statements |
Sid | Statement identifier (optional, for easier management) |
Effect | Allow or Deny |
Principal | Target subject: "*" = everyone, or specify a user/account |
Action | List of S3 actions to allow or deny |
Resource | ARN of the bucket or object the policy applies to |
Common S3 Actions
| Action | Description |
|---|---|
s3:GetObject | Read/download an object |
s3:PutObject | Upload a new object |
s3:DeleteObject | Delete an object |
s3:ListBucket | List objects in a bucket |
s3:GetBucketPolicy | Read the bucket's policy |
s3:PutBucketPolicy | Write a new policy for the bucket |
s3:GetBucketCors | Read the CORS configuration |
s3:* | All S3 actions |
Commonly Used Policy Examples
1. Allow public read (Static Website / CDN)
Allow everyone to read all objects in the bucket:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "PublicReadGetObject",
"Effect": "Allow",
"Principal": "*",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::bucket-name/*"
}
]
}
2. Allow read from a specific folder only
Allow public read only for files in the public/ folder:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "PublicReadPublicFolder",
"Effect": "Allow",
"Principal": "*",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::bucket-name/public/*"
}
]
}
3. Deny object deletion (data protection)
Prevent everyone (including the owner) from deleting objects in the bucket:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "DenyDeleteObject",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:DeleteObject",
"Resource": "arn:aws:s3:::bucket-name/*"
}
]
}
4. Allow upload from a specific IP address
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowUploadFromIP",
"Effect": "Allow",
"Principal": "*",
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::bucket-name/*",
"Condition": {
"IpAddress": {
"aws:SourceIp": "203.0.113.10/32"
}
}
}
]
}
Apply a Policy
Step 1: Paste or edit the JSON policy in the editor.
Step 2: Click Save or Apply to save and apply the policy.
Step 3: The system validates the JSON syntax and applies it immediately.
If the JSON has syntax errors, the portal shows an error message and does not save the policy.
Delete a Policy
To remove the entire policy and return the bucket to its default state, clear all content in the editor and click Save. The bucket then operates with the Access Policy (Private/Public) set at creation time.
A policy with "Effect": "Deny" always takes priority over "Effect": "Allow", even when the bucket is in Public mode. Check carefully before applying a Deny policy to avoid locking yourself out.