Creating bucket policies

When configuring bucket policies, follow these best practices:

  • Use Deny statements where possible to enforce strict security.
  • Limit the use of "*" as Principal to avoid granting broad or unintended permissions.
  • Apply Conditions to enforce additional restrictions or requirements.
  • Regularly review and audit policies to ensure they align with security and compliance requirements.

Prerequisites

To add a policy to a bucket

  1. Go to the S3 > Buckets screen, and click the line with the required bucket.
  2. On the bucket right pane, click Manage bucket policy.
  3. In the Manage bucket policy window, upload a JSON file with bucket policy statements or create them manually as follows:

    1. In Policy builder, click Add to add a new statement.
    2. In the Add statement window that opens, do the following:

      1. Specify a statement ID (Sid). It can contain ASCII uppercase letters (A-Z), lowercase letters (a-z), and numbers (0-9), without spaces.
      2. Choose the statement type between Allow and Deny to determine whether the specified actions will be allowed or denied for the selected resources and principals.

      3. Select S3 actions from the drop-down menu.

      4. Choose resources that the statement will apply to:

        • Select All objects in the bucket if you want the statement to be applied to all objects in the bucket.
        • Select Select prefix or object if you want the statement to be applied to specific objects in the bucket. In the Resources section, click the folder icon and select the required object. You can add as many objects as needed.

      5. Choose principals:

        • Select All S3 users if you want to grant permissions defined by the statement to all S3 users.
        • Select Specify S3 users or domains if you want to grant permissions only to specific users. In the Principals section, specify users or domains in the following format: arn:aws:iam::<domain_id>:<user_id>. You can add as many users as needed.

      6. In the Conditions section, click Add, select a condition key and operator from the drop-down menus, and then specify the desired value.

      7. Click Add to create the statement.

    3. Add as many statements as needed.
    4. In JSON view, check your policy in the JSON format.

    5. Click Download file to download the created policy as a JSON file to your machine.

  4. Click Save.

You can view the applied bucket policy in the JSON format on the Bucket policy tab.