         | Did this page help you? Yes No Tell us about it... |
How to Use Resources, Principals, Operations, and Conditions in Bucket Policies
Topics
Specifying Amazon S3 Resources in Bucket Policies
You can refer to buckets and objects in bucket policies. Amazon S3 policies use the Amazon Resource Name (ARN) format for specifying them, as follows:
arn:aws:s3:::[resourcename]
The resource name is the fully qualified name of a bucket or object that the user is
requesting access to. For buckets, the resource name is bucketname,
where bucketname is the name of the bucket. For objects,
the format for the resource’s name is bucketname/keyname, where
bucketname is the name of the bucket and
keyname is the full name of the object. For example,
if you have a bucket called “Ooyala” and an object with the name
shared/developer/settings.conf, the resource name for
the bucket would be Ooyala; for the object it would be
Ooyala/shared/developer/settings.conf.
Specifying Principals in Bucket Policies
The Principal is one or more people who receive or are denied permission
according to the policy. You must specify the principal by using the principal's
AWS account ID (e.g., 1234-5678-9012, with or without the hyphens). The AWS
account ID can belong to either an AWS Account or an IAM User. You can specify
multiple principals, or a wildcard (*) to indicate all possible users. You can
view your account ID by logging in to your AWS account at http://aws.amazon.com and clicking
Account Activity in the Accounts
tab.
Instead of specifying an AWS account ID you can specify a Canonical User ID when granting permission to an AWS Account. You can view your Canonical User ID by logging in to your AWS account at http://aws.amazon.com and, clicking Security Credentials in the Accounts tab. You can also grant a CloudFront Origin Access Identify using the Canonical User ID associated with that identify. To learn more about CloudFront's support for serving private content, go to Serving Private Content topic in Amazon CloudFront Developer Guide. You must specify the Canonical User ID for your CloudFront distribution's origin identity, not your AWS Account.
In JSON, you use "AWS": as a prefix for the principal's AWS account ID and
the "CanonicalUser": prefix for the principal’s AWS Canonical User
ID.
![[Note]](http://docs.amazonwebservices.com/docs-common/images/note.png) | Note |
|---|---|
When you grant other AWS accounts access to your AWS resources, be aware that the AWS accounts can delegate their permissions to users under their accounts. This is known as cross-account access. For information about using cross-account access, go to Enabling Cross-Account Access in Using Identity and Access Management. |
Amazon S3 Actions
The following list shows the format for the Amazon S3 actions that you can reference in a policy.
Actions Related to Objects
s3:GetObject(covers REST GET Object, REST HEAD Object, REST GET Object torrent, SOAPGetObject, and SOAPGetObjectExtended)s3:GetObjectVersion(covers REST GET Object, REST HEAD Object, REST GET Object torrent, SOAPGetObject, and SOAPGetObjectExtended)s3:PutObject(covers the REST PUT Object, REST POST Object, REST Initiate Multipart Upload, REST Upload Part, REST Complete Multipart Upload, SOAPPutObject, and SOAPPutObjectInline)s3:GetObjectAcls3:GetObjectVersionAcls3:PutObjectAcls3:PutObjectVersionAcls3:DeleteObjects3:DeleteObjectVersions3:ListMultipartUploadPartss3:AbortMultipartUpload
Actions Related to Buckets
s3:CreateBuckets3:DeleteBuckets3:ListBuckets3:ListBucketVersionss3:ListAllMyBuckets(covers REST GET Service and SOAPListAllMyBuckets)s3:ListBucketMultipartUploads
Actions Related to Bucket Sub-Resources
s3:GetBucketAcls3:PutBucketAcls3:GetBucketVersionings3:PutBucketVersionings3:GetBucketRequesterPayss3:PutBucketRequesterPayss3:GetBucketLocations3:PutBucketPolicys3:GetBucketPolicys3:PutBucketNotifications3:GetBucketNotifications3:GetBucketLoggings3:PutBucketLoggings3:GetLifecycleConfigurations3:PutLifecycleConfiguration
You can delete objects by explicitly calling the DELETE Object API or configure its
lifecycle (see Object Expiration) to enable Amazon S3 to remove them for you. If you want to block users or
accounts from removing or deleting objects from your bucket you must deny them
s3:DeleteObject, s3:DeleteObjectVersion and
s3:PutLifecycleConfiguration actions.
Bucket Keys in Amazon S3 Policies
The following table shows the keys related to buckets that can be in Amazon S3 policies.
| Action | Applicable Keys | Description |
|---|---|---|
|
|
|
The Amazon S3 canned ACL that is applied to the bucket. A canned ACL represents a predefined permission that can be applied to the bucket being created. Valid values: Example value: |
|
|
Specifies the Region where the bucket will be created. Valid values are
Example value: | |
|
|
|
Limits the response to objects that begin with the specified prefix. Use this to allow or deny access to objects that begin with the prefix. Example value: |
|
|
The character you use to group objects. Example value: | |
|
|
The number of objects to return from the call. The maximum allowed value (and default) is 1000. For use with access policy language numeric conditions (for more information, see Numeric Conditions). Example value: | |
|
|
|
Header that lets you limit the response to include only keys that begin with the specified prefix. Example value: |
|
|
The character you use to group objects. Example value: | |
|
|
The number of objects to return from the call. The maximum allowed value (and default) is 1000. For use with access policy language numeric conditions (for more information, see Numeric Conditions). Example value: | |
|
|
|
The Amazon S3 canned ACL that is applied to the bucket. A canned ACL represents a predefined permission that can be applied to the bucket being created. Valid values: Example value: |
Object Keys in Amazon S3 Policies
The following list shows the keys related to objects that can be in Amazon S3 policies.
| Action | Applicable Keys | Description |
|---|---|---|
|
|
|
The Amazon S3 canned ACL that is applied to the object. A canned ACL represents a predefined permission that can be applied to the object being PUT to Amazon S3. Valid values: Example value: |
|
|
The header that specifies the name of the source bucket and key name of the source object, separated by a slash (/). Used when copying an object. Example value: | |
|
|
The header that specifies whether the metadata is copied from the source object or replaced with metadata provided in the request. If copied, the metadata, except for the version ID, remains unchanged. Otherwise, all original metadata is replaced by the metadata you specify. Used when copying an object. Valid values: Example value: | |
|
|
|
The Amazon S3 canned ACL that is applied to the object. A canned ACL represents a predefined permission that can be applied to the object being PUT to Amazon S3. Valid values: Example value: |
|
|
|
The version ID of the object being retrieved. Example value: |
|
|
|
The version ID of the object ACL being retrieved. Example value: |
|
|
|
The version ID of the object ACL being PUT. Example value: |
|
|
The Amazon S3 canned ACL that is applied to the object. A canned ACL represents a predefined permission that can be applied to the object being PUT to Amazon S3. Valid values: Example value: | |
|
|
|
The version ID of the object being deleted. Example value: |
