Managing bucket policies
Virtuozzo Hybrid Infrastructure uses Policy-Based Access Control (PBAC) to manage user permissions by defining the actions and resources that authenticated users can access. Each policy specifies one or more actions and conditions that outline the permissions for a user or group of users. Only the bucket owner can attach a policy to a bucket, and the permissions specified in the policy apply to all objects in the bucket owned by the bucket owner.
The bucket owner retains ownership of all objects in the bucket and manages access exclusively through policies. Bucket policies are written using the JSON-based AWS Identity and Access Management (IAM) policy language, consisting of the following core elements:
- Statement
- The primary component of a policy, defining the permissions and containing other elements such as principals, resources, actions, and effects. Policies often include an array of statements.
- Statement ID (Sid)
- A unique identifier assigned to each policy statement.
- Effect
- Specifies whether the policy allows or denies an action. If no explicit permission is granted, the policy automatically denies access by default.
- Action
- Lists the specific S3 actions that the policy permits or denies.
- Principal
- Identifies the user, entity, or account granted permissions within the statement.
- Resource
- Specifies the S3 bucket or objects to which the policy applies.
- Condition (optional)
- Defines additional restrictions or requirements under which the policy applies.
- Version (optional)
- Indicates the policy language version in use.
Virtuozzo Hybrid Infrastructure supports the following S3 actions, condition keys, and condition operators for bucket policies:
Supported S3 actions
Action | Access level | Resource | Description | Condition keys |
---|---|---|---|---|
s3:GetObject
|
Read | Object | Grants permission to retrieve objects from a bucket |
|
s3:GetObjectAcl
|
Read | Object | Grants permission to return the access control list (ACL) of an object |
|
s3:GetObjectVersion
|
Read | Object | Grants permission to retrieve a specific version of an object |
|
s3:GetObjectVersionAcl
|
Read | Object | Grants permission to return the access control list (ACL) of a specific object version |
|
s3:ListMultipartUploadParts
|
List | Object | Grants permission to list the parts that have been uploaded for a specific multipart upload |
|
s3:ListBucket
|
List | Bucket | Grants permission to list some or all of the objects in a bucket (up to 1000). |
|
s3:ListBucketMultipartUploads
|
List | Bucket | Grants permission to list in-progress multipart uploads |
|
s3:ListBucketVersions
|
List | Bucket | Grants permission to list metadata about all the versions of objects in a bucket |
|
s3:GetBucketAcl
|
Read | Bucket | Grants permission to use the acl subresource to return the access control list (ACL) of a bucket |
|
s3:GetBucketCORS
|
Read | Bucket | Grants permission to return the CORS configuration information set for a bucket |
|
s3:GetBucketLocation
|
Read | Bucket | Grants permission to return the region that a bucket resides in |
|
s3:GetBucketLogging
|
Read | Bucket | Grants permission to return the logging status of a bucket and the permissions users have to view or modify that status |
|
s3:GetBucketNotification
|
Read | Bucket | Grants permission to get the notification configuration of a bucket |
|
s3:GetBucketPolicy
|
Read | Bucket | Grants permission to return the policy of the specified bucket |
|
s3:GetBucketVersioning
|
Read | Bucket | Grants permission to return the versioning state of a bucket |
|
s3:GetBucketWebsite
|
Read | Bucket | Grants permission to return the website configuration for a bucket |
|
s3:GetLifecycleConfiguration
|
Read | Bucket | Grants permission to return the lifecycle configuration information set on a bucket |
|
s3:GetReplicationConfiguration
|
Read | Bucket | Grants permission to get the replication configuration information set on a bucket |
|
s3:PutObject
|
Write | Object | Grants permission to add an object to a bucket |
|
s3:DeleteObject
|
Write | Object | Grants permission to remove the null version of an object and insert a delete marker, which becomes the current version of the object |
|
s3:DeleteObjectVersion
|
Write | Object | Grants permission to remove a specific version of an object |
|
s3:AbortMultipartUpload
|
Write | Object | Grants permission to abort a multipart upload |
|
s3:DeleteBucket
|
Write | Bucket | Grants permission to delete the bucket named in the URI |
|
s3:PutBucketCORS
|
Write | Bucket | Grants permission to set the CORS configuration for a bucket |
|
s3:PutBucketLogging
|
Write | Bucket | Grants permission to set the logging parameters for a bucket |
|
s3:PutBucketNotification
|
Write | Bucket | Grants permission to receive notifications when certain events happen in a bucket |
|
s3:PutBucketRequestPayment
|
Write | Bucket | Grants permission to set the request payment configuration of a bucket |
|
s3:PutBucketVersioning
|
Write | Bucket | Grants permission to set the versioning state of an existing bucket |
|
s3:PutBucketWebsite
|
Write | Bucket | Grants permission to set the configuration of the website that is specified in the website subresource |
|
s3:PutLifecycleConfiguration
|
Write | Bucket | Grants permission to create a new lifecycle configuration for the bucket or replace an existing lifecycle configuration |
|
s3:PutReplicationConfiguration
|
Write | Bucket | Grants permission to create a new replication configuration or replace an existing one |
|
s3:PutBucketPolicy
|
Access management | Bucket | Grants permission to add or replace a bucket policy on a bucket |
|
s3:DeleteBucketPolicy
|
Access management | Bucket | Grants permission to delete the policy on a specified bucket |
|
s3:PutObjectAcl
|
Access management | Object | Grants permission to set the access control list (ACL) permissions for new or existing objects in a bucket |
|
s3:PutObjectVersionAcl
|
Access management | Object | Grants permission to use the acl subresource to set the access control list (ACL) permissions for an object that already exists in a bucket |
|
s3:PutBucketAcl
|
Access management | Bucket | Grants permission to set the permissions on an existing bucket using access control lists (ACLs) |
|
Supported condition keys
Condition key | Description | Value |
---|---|---|
s3:x-amz-storage-class | Filters access by storage class | String |
s3:x-amz-acl | Filters access by canned ACL in the request's x-amz-acl header |
String |
s3:x-amz-grant-full-control | Filters access by x-amz-grant-full-control (full control) header |
String |
s3:x-amz-grant-read | Filters access by x-amz-grant-read (read access) header |
String |
s3:x-amz-grant-read-acp | Filters access by the x-amz-grant-read-acp (read permissions for the ACL) header |
String |
s3:x-amz-grant-write | Filters access by the x-amz-grant-write (write access) header |
String |
s3:x-amz-grant-write-acp | Filters access by the x-amz-grant-write-acp (write permissions for the ACL) header |
String |
s3:x-amz-copy-source | Filters access by copy source bucket, prefix, or object in the copy object requests | String |
s3:TlsVersion | Filters access by the TLS version used by the client | Valid values: 1.2 , 1.1 , and 1.0 |
s3:x-amz-content-sha256 | Filters access by unsigned content in your bucket | Valid value: UNSIGNED-PAYLOAD |
s3:signatureversion | Filters access by the version of AWS Signature used on the request |
Valid values:
|
s3:signatureAge | Filters access by the age in milliseconds of the request signature | Numeric |
s3:authType | Filters access by authentication method | Valid values:
REST-HEADER ,
REST-QUERY-STRING ,
and POST |
s3:x-amz-website-redirect-location | Filters access by a specific website redirect location for buckets that are configured as static websites | String |
s3:object-lock-mode | Filters access by object retention mode | Valid values:
COMPLIANCE and GOVERNANCE |
s3:object-lock-retain-until-date | Filters access by object retain-until date | Date |
s3:object-lock-legal-hold | Filters access by object legal hold status | String |
s3:object-lock-remaining-retention-days | Filters access by remaining object retention days | Numeric |
s3:prefix | Filters access by key name prefix | String |
s3:versionid | Filters access by a specific object version | String |
s3:max-keys | Filters access by maximum number of keys returned in a ListBucket request |
Numeric |
aws:SourceIp | Filters access by IP range | String |
Supported condition operators
Condition operator | Description |
---|---|
StringEquals
|
Exact matching, case sensitive |
StringNotEquals
|
Negated matching, case sensitive |
StringEqualsIgnoreCase
|
Exact matching, ignoring case |
StringNotEqualsIgnoreCase
|
Negated matching, ignoring case |
StringLike
|
Case-sensitive matching. The values can include multi-character match wildcards (*) and single-character match wildcards (?) anywhere in the string. Specify wildcards to achieve partial string matches. |
StringNotLike
|
Negated case-sensitive matching. The values can include multi-character match wildcards (*) or single-character match wildcards (?) anywhere in the string. |
NumericEquals
|
Exact matching |
NumericNotEquals
|
Negated matching |
NumericLessThan
|
"Less than" matching |
NumericLessThanEquals
|
"Less than or equals" matching |
NumericGreaterThan
|
"Greater than" matching |
NumericGreaterThanEquals
|
"Greater than or equals" matching |
DateEquals
|
Matching a specific date |
DateNotEquals
|
Negated matching |
DateLessThan
|
Matching before a specific date and time |
DateLessThanEquals
|
Matching at or before a specific date and time |
DateGreaterThan
|
Matching after a specific a date and time |
DateGreaterThanEquals
|
Matching at or after a specific date and time |
BinaryEquals
|
Matching in binary format. It compares the value of the specified key byte for byte against a base-64 encoded representation of the binary value. If the specified key is not present in the request context, the values do not match. |
IpAddress
|
Matching the specified IP address or range |
NotIpAddress
|
Matching all IP addresses except the specified IP address or range |
To learn more about condition operators, refer to the AWS Identity and Access Management User Guide.