Amazon Simple Storage Service
Developer Guide (API Version 2006-03-01)
AWS Documentation » Amazon Simple Storage Service (S3) » Developer Guide » Access Control » Using Bucket Policies » Example Cases for Amazon S3 Bucket Policies
Print this pageEmail this pageGo to the ForumsView the PDFShare this page on TwitterShare this page on FacebookBookmark this page on DeliciousSubmit this page to RedditSubmit this page to DiggDid this page help you?  Yes  No   Tell us about it...

Example Cases for Amazon S3 Bucket Policies

This section gives a few examples of typical use cases for bucket policies.

[Note]Note

You can use the AWS Policy Generator tool to create a bucket policy for your Amazon S3 bucket. You can then use the generated document to set your bucket policy using the Amazon S3 console, a number of third party tools or via your application. To use the policy generation tool, go to AWS Policy Generator.

Granting Permissions to Multiple Accounts with Added Restrictions

The following example policy grants PutObject, and PutObjectAcl permissions to multiple accounts and requires that the public-read canned acl is included.

Example 

{
  "Version":"2008-10-17",
  "Statement":[{
	"Sid":"AddCannedAcl",
        "Effect":"Allow",
	  "Principal": {
            "AWS": ["arn:aws:iam::111122223333:root","arn:aws:iam::444455556666:root"]
         },
	  "Action":["s3:PutObject","s3:PutObjectAcl"
      ],
      "Resource":["arn:aws:s3:::bucket/*"
      ],
      "Condition":{
        "StringEquals":{
          "s3:x-amz-acl":["public-read"]
        }
      }
    }
  ]
}

Granting Permission to an Anonymous User

The following example policy grants permissions to anonymous users.

Example 

{
  "Version":"2008-10-17",
  "Statement":[{
	"Sid":"AddPerm",
        "Effect":"Allow",
	  "Principal": {
            "AWS": "*"
         },
      "Action":["s3:GetObject"],
      "Resource":["arn:aws:s3:::bucket/*"
      ]
    }
  ]
}

Restricting Access to Specific IP Addresses

This statement grants permissions to any user to perform any S3 action on objects in the specified bucket. However, the request must originate from the range of IP addresses specified in the condition. The condition in this statement identifies 192.168.143.* range of allowed IP addresses with one exception, 192.168.143.188.

Note that the IPAddress and NotIpAddress values specified in the condition uses CIDR notation described in RFC 2632. For more information, go to http://www.rfc-editor.org/rfc/rfc4632.txt.

Example 

{
    "Version": "2008-10-17",
    "Id": "S3PolicyId1",
    "Statement": [
        {
            "Sid": "IPAllow",
            "Effect": "Allow",
            "Principal": {
                "AWS": "*" 
            },
            "Action": "s3:*",
            "Resource": "arn:aws:s3:::bucket/*",
            "Condition" : {
                "IpAddress" : {
                    "aws:SourceIp": "192.168.143.0/24" 
                },
                "NotIpAddress" : {
                    "aws:SourceIp": "192.168.143.188/32" 
                } 
            } 
        } 
    ]
}

Restricting Access to Specific HTTP Referer

The following example policy restricts access based on HTTP Referer.

Example 

{
  "Version":"2008-10-17",
  "Id":"http referer policy example",
  "Statement":[
    {
      "Sid":"Allow get requests referred by www.mysite.com and mysite.com",
      "Effect":"Allow",
      "Principal":"*",
      "Action":"s3:GetObject",
      "Resource":"arn:aws:s3:::example-bucket/*",
      "Condition":{
        "StringLike":{
          "aws:Referer":[
            " http://www.mysite.com/*",
            " http://mysite.com/*"
          ]
        }
      }
    }
  ]
}

Granting Permissions to Enable Log Delivery to an S3 Bucket

The following example policy enables log delivery to your Amazon S3 bucket. The account specified in the following policy is the Log Delivery group. You must use the ARN specified in this policy because it identifies the Log Delivery group. For more information, see Setting Up Server Access Logging.

Example 

{
	"Version":"2008-10-17",
	"Id":"LogPolicy",
	"Statement":[{
			"Sid":"Enables the log delivery group to publish logs to your bucket ",
			"Effect":"Allow",
			"Principal":{
				"AWS":"arn:aws:iam::111122223333:root"
			},
			"Action":["s3:GetBucketAcl",
				"s3:GetObjectAcl",
				"s3:PutObject"
			],
			"Resource":["arn:aws:s3:::example-bucket",
				"arn:aws:s3:::example-bucket/*"
			]
		}
	]
}

Granting Permission, Using Canonical ID, to a CloudFront Origin Identify

The following example bucket policy grants a CloudFront Origin Identity permission to GET all objects in your Amazon S3 bucket. The CloudFront Origin Identity is used to enable CloudFront's private content feature. The policy uses the CanonicalUser prefix, instead of AWS, to specify a Canonical User ID. To learn more about CloudFront's support for serving private content, go to the Serving Private Content topic in the Amazon CloudFront Developer Guide. You must specify the Canonical User ID for your CloudFront distribution's origin access identity.

Example 

{
	"Version":"2008-10-17",
	"Id":"PolicyForCloudFrontPrivateContent",
	"Statement":[{
			"Sid":" Grant a CloudFront Origin Identity access to support private content",
			"Effect":"Allow",
			"Principal":{
			"CanonicalUser":"79a59df900b949e55d96a1e698fbacedfd6e09d98eacf8f8d5218e7cd47ef2be"
			},
			"Action":"s3:GetObject",
			"Resource":"arn:aws:s3:::example-bucket/*"
		}
	]
}

Document Conventions
Terms of Use		Did this page help you?  Yes  No   Tell us about it...