Bucket policy examples

Here are some practical S3 bucket policy examples that cover various use cases to help secure and manage access to your S3 buckets. To view more examples with bucket policies, refer to the Amazon documentation.

Grant public read-only access to a bucket

Use this policy to allow public read-only access to objects in a bucket.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "PublicReadOnlyAccess",
      "Effect": "Allow",
      "Principal": "*",
      "Action": "s3:GetObject",
      "Resource": "arn:aws:s3:::my-public-bucket/*"
    }
  ]
}

Deny public access to a bucket

Use this policy to explicitly deny public access to the entire bucket, even if other policies or ACLs allow it.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "DenyPublicAccess",
      "Effect": "Deny",
      "Principal": "*",
      "Action": "s3:*",
      "Resource": ["arn:aws:s3:::my-private-bucket", "arn:aws:s3:::my-private-bucket/*"]
    }
  ]
}

Allow access from a specific IP range

Use this policy to grant read-only access to the bucket to users connecting from specific IP addresses.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "AllowAccessFromIP",
      "Effect": "Allow",
      "Principal": "*",
      "Action": "s3:GetObject",
      "Resource": "arn:aws:s3:::my-secure-bucket/*",
      "Condition": {
        "IpAddress": {
          "aws:SourceIp": "192.168.1.0/24"
        }
      }
    }
  ]
}

Grant access to another S3 user

Use this policy to allow another S3 user to upload objects into your bucket.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "AllowAccountUpload",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::4de50c40e0254e8d987470bfb84980a1:862871b203ca9580"
      },
      "Action": "s3:PutObject",
      "Resource": "arn:aws:s3:::my-shared-bucket/*"
    }
  ]
}

Allow access to a specific folder

Use this policy to grant read access only to a specific folder inside the bucket.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "AllowFolderAccess",
      "Effect": "Allow",
      "Principal": "*",
      "Action": "s3:GetObject",
      "Resource": "arn:aws:s3:::my-bucket/folder1/*"
    }
  ]
}

Restrict access to objects within a specific path

Use this policy to allow users to list objects within a specific folder but not access other objects in the bucket.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "AllowListSpecificPrefix",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::4de50c40e0254e8d987470bfb84980a1:862871b203ca9580"
      },
      "Action": "s3:ListBucket",
      "Resource": "arn:aws:s3:::my-bucket",
      "Condition": {
        "StringEquals": {
          "s3:prefix": "my-folder/"
        }
      }
    },
    {
      "Sid": "AllowGetSpecificFolder",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::4de50c40e0254e8d987470bfb84980a1:862871b203ca9580"
      },
      "Action": "s3:GetObject",
      "Resource": "arn:aws:s3:::my-bucket/my-folder/*"
    }
  ]
}

Require a minimum TLS version

Use this policy to deny uploading objects in a bucket by clients that have a TLS version earlier than 1.2, for example, 1.1 or 1.0.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Deny",
            "Principal": "*",
            "Action": "s3:PutObject",
            "Resource": [
                "arn:aws:s3:::my-bucket",
                "arn:aws:s3:::my-bucket/*"
            ],
            "Condition": {
                "NumericLessThan": {
                    "s3:TlsVersion": 1.2
                }
            }
        }
    ]
}

Prevent deletion of objects

Use this policy to protect a bucket with important objects by denying DeleteObject actions.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "DenyObjectDeletion",
      "Effect": "Deny",
      "Principal": "*",
      "Action": "s3:DeleteObject",
      "Resource": "arn:aws:s3:::my-bucket/*"
    }
  ]
}