Managing bucket policies

Virtuozzo Hybrid Infrastructure uses Policy-Based Access Control (PBAC) to manage user permissions by defining the actions and resources that authenticated users can access. Each policy specifies one or more actions and conditions that outline the permissions for a user or group of users. Only the bucket owner can attach a policy to a bucket, and the permissions specified in the policy apply to all objects in the bucket owned by the bucket owner.

The bucket owner retains ownership of all objects in the bucket and manages access exclusively through policies. Bucket policies are written using the JSON-based AWS Identity and Access Management (IAM) policy language, consisting of the following core elements:

Statement: The primary component of a policy, defining the permissions and containing other elements such as principals, resources, actions, and effects. Policies often include an array of statements.
Statement ID (Sid): A unique identifier assigned to each policy statement.
Effect: Specifies whether the policy allows or denies an action. If no explicit permission is granted, the policy automatically denies access by default.
Action: Lists the specific S3 actions that the policy permits or denies.
Principal: Identifies the user, entity, or account granted permissions within the statement.
Resource: Specifies the S3 bucket or objects to which the policy applies.
Condition (optional): Defines additional restrictions or requirements under which the policy applies.
Version (optional): Indicates the policy language version in use.

Virtuozzo Hybrid Infrastructure supports the following S3 actions, condition keys, and condition operators for bucket policies:

Supported S3 actions

Action	Access level	Resource	Description	Condition keys
`s3:GetObject`	Read	Object	Grants permission to retrieve objects from a bucket	s3:authType s3:signatureAge s3:signatureversion s3:TlsVersion s3:x-amz-content-sha256 aws:SourceIp
`s3:GetObjectAcl`	Read	Object	Grants permission to return the access control list (ACL) of an object	s3:authType s3:signatureAge s3:signatureversion s3:TlsVersion s3:x-amz-content-sha256 aws:SourceIp
`s3:GetObjectVersion`	Read	Object	Grants permission to retrieve a specific version of an object	s3:authType s3:signatureAge s3:signatureversion s3:TlsVersion s3:versionid s3:x-amz-content-sha256 aws:SourceIp
`s3:GetObjectVersionAcl`	Read	Object	Grants permission to return the access control list (ACL) of a specific object version	s3:authType s3:signatureAge s3:signatureversion s3:TlsVersion s3:versionid s3:x-amz-content-sha256 aws:SourceIp
`s3:ListMultipartUploadParts`	List	Object	Grants permission to list the parts that have been uploaded for a specific multipart upload	s3:authType s3:signatureAge s3:signatureversion s3:TlsVersion s3:versionid s3:x-amz-content-sha256 aws:SourceIp
`s3:ListBucket`	List	Bucket	Grants permission to list some or all of the objects in a bucket (up to 1000).	s3:authType s3:max-keys s3:prefix s3:signatureAge s3:signatureversion s3:TlsVersion s3:x-amz-content-sha256 aws:SourceIp
`s3:ListBucketMultipartUploads`	List	Bucket	Grants permission to list in-progress multipart uploads	s3:authType s3:signatureAge s3:signatureversion s3:TlsVersion s3:x-amz-content-sha256 aws:SourceIp
`s3:ListBucketVersions`	List	Bucket	Grants permission to list metadata about all the versions of objects in a bucket	s3:authType s3:max-keys s3:prefix s3:signatureAge s3:signatureversion s3:TlsVersion s3:x-amz-content-sha256 aws:SourceIp
`s3:GetBucketAcl`	Read	Bucket	Grants permission to use the acl subresource to return the access control list (ACL) of a bucket	s3:authType s3:signatureAge s3:signatureversion s3:TlsVersion s3:x-amz-content-sha256 aws:SourceIp
`s3:GetBucketCORS`	Read	Bucket	Grants permission to return the CORS configuration information set for a bucket	s3:authType s3:signatureAge s3:signatureversion s3:TlsVersion s3:x-amz-content-sha256 aws:SourceIp
`s3:GetBucketLocation`	Read	Bucket	Grants permission to return the region that a bucket resides in	s3:authType s3:signatureAge s3:signatureversion s3:TlsVersion s3:x-amz-content-sha256 aws:SourceIp
`s3:GetBucketLogging`	Read	Bucket	Grants permission to return the logging status of a bucket and the permissions users have to view or modify that status	s3:authType s3:signatureAge s3:signatureversion s3:TlsVersion s3:x-amz-content-sha256 aws:SourceIp
`s3:GetBucketNotification`	Read	Bucket	Grants permission to get the notification configuration of a bucket	s3:authType s3:signatureAge s3:signatureversion s3:TlsVersion s3:x-amz-content-sha256 aws:SourceIp
`s3:GetBucketPolicy`	Read	Bucket	Grants permission to return the policy of the specified bucket	s3:authType s3:signatureAge s3:signatureversion s3:TlsVersion s3:x-amz-content-sha256 aws:SourceIp
`s3:GetBucketVersioning`	Read	Bucket	Grants permission to return the versioning state of a bucket	s3:authType s3:signatureAge s3:signatureversion s3:TlsVersion s3:x-amz-content-sha256 aws:SourceIp
`s3:GetBucketWebsite`	Read	Bucket	Grants permission to return the website configuration for a bucket	s3:authType s3:signatureAge s3:signatureversion s3:TlsVersion s3:x-amz-content-sha256 aws:SourceIp
`s3:GetLifecycleConfiguration`	Read	Bucket	Grants permission to return the lifecycle configuration information set on a bucket	s3:authType s3:signatureAge s3:signatureversion s3:TlsVersion s3:x-amz-content-sha256 aws:SourceIp
`s3:GetReplicationConfiguration`	Read	Bucket	Grants permission to get the replication configuration information set on a bucket	s3:authType s3:signatureAge s3:signatureversion s3:TlsVersion s3:x-amz-content-sha256 aws:SourceIp
`s3:PutObject`	Write	Object	Grants permission to add an object to a bucket	s3:authType s3:signatureAge s3:signatureversion s3:TlsVersion s3:x-amz-acl s3:x-amz-content-sha256 s3:x-amz-copy-source s3:x-amz-grant-full-control s3:x-amz-grant-read s3:x-amz-grant-read-acp s3:x-amz-grant-write s3:x-amz-grant-write-acp s3:x-amz-storage-class s3:x-amz-website-redirect-location s3:object-lock-mode s3:object-lock-retain-until-date s3:object-lock-remaining-retention-days s3:object-lock-legal-hold aws:SourceIp
`s3:DeleteObject`	Write	Object	Grants permission to remove the null version of an object and insert a delete marker, which becomes the current version of the object	s3:authType s3:signatureAge s3:signatureversion s3:TlsVersion s3:x-amz-content-sha256 aws:SourceIp
`s3:DeleteObjectVersion`	Write	Object	Grants permission to remove a specific version of an object	s3:authType s3:signatureAge s3:signatureversion s3:TlsVersion s3:versionid s3:x-amz-content-sha256 aws:SourceIp
`s3:AbortMultipartUpload`	Write	Object	Grants permission to abort a multipart upload	s3:authType s3:signatureAge s3:signatureversion s3:TlsVersion s3:x-amz-content-sha256 aws:SourceIp
`s3:DeleteBucket`	Write	Bucket	Grants permission to delete the bucket named in the URI	s3:authType s3:signatureAge s3:signatureversion s3:TlsVersion s3:x-amz-content-sha256 aws:SourceIp
`s3:PutBucketCORS`	Write	Bucket	Grants permission to set the CORS configuration for a bucket	s3:authType s3:signatureAge s3:signatureversion s3:TlsVersion s3:x-amz-content-sha256 aws:SourceIp
`s3:PutBucketLogging`	Write	Bucket	Grants permission to set the logging parameters for a bucket	s3:authType s3:signatureAge s3:signatureversion s3:TlsVersion s3:x-amz-content-sha256 aws:SourceIp
`s3:PutBucketNotification`	Write	Bucket	Grants permission to receive notifications when certain events happen in a bucket	s3:authType s3:signatureAge s3:signatureversion s3:TlsVersion s3:x-amz-content-sha256 aws:SourceIp
`s3:PutBucketRequestPayment`	Write	Bucket	Grants permission to set the request payment configuration of a bucket	s3:authType s3:signatureAge s3:signatureversion s3:TlsVersion s3:x-amz-content-sha256 aws:SourceIp
`s3:PutBucketVersioning`	Write	Bucket	Grants permission to set the versioning state of an existing bucket	s3:authType s3:signatureAge s3:signatureversion s3:TlsVersion s3:x-amz-content-sha256 aws:SourceIp
`s3:PutBucketWebsite`	Write	Bucket	Grants permission to set the configuration of the website that is specified in the website subresource	s3:authType s3:signatureAge s3:signatureversion s3:TlsVersion s3:x-amz-content-sha256 aws:SourceIp
`s3:PutLifecycleConfiguration`	Write	Bucket	Grants permission to create a new lifecycle configuration for the bucket or replace an existing lifecycle configuration	s3:authType s3:signatureAge s3:signatureversion s3:TlsVersion s3:x-amz-content-sha256 aws:SourceIp
`s3:PutReplicationConfiguration`	Write	Bucket	Grants permission to create a new replication configuration or replace an existing one	s3:authType s3:signatureAge s3:signatureversion s3:TlsVersion s3:x-amz-content-sha256 aws:SourceIp
`s3:PutBucketPolicy`	Access management	Bucket	Grants permission to add or replace a bucket policy on a bucket	s3:authType s3:signatureAge s3:signatureversion s3:TlsVersion s3:x-amz-content-sha256 aws:SourceIp
`s3:DeleteBucketPolicy`	Access management	Bucket	Grants permission to delete the policy on a specified bucket	s3:authType s3:signatureAge s3:signatureversion s3:TlsVersion s3:x-amz-content-sha256 aws:SourceIp
`s3:PutObjectAcl`	Access management	Object	Grants permission to set the access control list (ACL) permissions for new or existing objects in a bucket	s3:authType s3:signatureAge s3:signatureversion s3:TlsVersion s3:x-amz-acl s3:x-amz-content-sha256 s3:x-amz-grant-full-control s3:x-amz-grant-read s3:x-amz-grant-read-acp s3:x-amz-grant-write s3:x-amz-grant-write-acp s3:x-amz-storage-class aws:SourceIp
`s3:PutObjectVersionAcl`	Access management	Object	Grants permission to use the acl subresource to set the access control list (ACL) permissions for an object that already exists in a bucket	s3:authType s3:signatureAge s3:signatureversion s3:TlsVersion s3:versionid s3:x-amz-acl s3:x-amz-content-sha256 s3:x-amz-grant-full-control s3:x-amz-grant-read s3:x-amz-grant-read-acp s3:x-amz-grant-write s3:x-amz-grant-write-acp s3:x-amz-storage-class aws:SourceIp
`s3:PutBucketAcl`	Access management	Bucket	Grants permission to set the permissions on an existing bucket using access control lists (ACLs)	s3:authType s3:signatureAge s3:signatureversion s3:TlsVersion s3:x-amz-acl s3:x-amz-content-sha256 s3:x-amz-grant-full-control s3:x-amz-grant-read s3:x-amz-grant-read-acp s3:x-amz-grant-write s3:x-amz-grant-write-acp aws:SourceIp

Supported condition keys

Condition key	Description	Value
s3:x-amz-storage-class	Filters access by storage class	String
s3:x-amz-acl	Filters access by canned ACL in the request's `x-amz-acl` header	String
s3:x-amz-grant-full-control	Filters access by `x-amz-grant-full-control` (full control) header	String
s3:x-amz-grant-read	Filters access by `x-amz-grant-read` (read access) header	String
s3:x-amz-grant-read-acp	Filters access by the `x-amz-grant-read-acp` (read permissions for the ACL) header	String
s3:x-amz-grant-write	Filters access by the `x-amz-grant-write` (write access) header	String
s3:x-amz-grant-write-acp	Filters access by the `x-amz-grant-write-acp` (write permissions for the ACL) header	String
s3:x-amz-copy-source	Filters access by copy source bucket, prefix, or object in the copy object requests	String
s3:TlsVersion	Filters access by the TLS version used by the client	Valid values: `1.2`, `1.1`, and `1.0`
s3:x-amz-content-sha256	Filters access by unsigned content in your bucket	Valid value: `UNSIGNED-PAYLOAD`
s3:signatureversion	Filters access by the version of AWS Signature used on the request	Valid values: `AWS` identifies Signature Version 2 `AWS4-HMAC-SHA256` identifies Signature Version 4
s3:signatureAge	Filters access by the age in milliseconds of the request signature	Numeric
s3:authType	Filters access by authentication method	Valid values: `REST-HEADER`, `REST-QUERY-STRING`, and `POST`
s3:x-amz-website-redirect-location	Filters access by a specific website redirect location for buckets that are configured as static websites	String
s3:object-lock-mode	Filters access by object retention mode	Valid values: `COMPLIANCE` and `GOVERNANCE`
s3:object-lock-retain-until-date	Filters access by object retain-until date	Date
s3:object-lock-legal-hold	Filters access by object legal hold status	String
s3:object-lock-remaining-retention-days	Filters access by remaining object retention days	Numeric
s3:prefix	Filters access by key name prefix	String
s3:versionid	Filters access by a specific object version	String
s3:max-keys	Filters access by maximum number of keys returned in a `ListBucket` request	Numeric
aws:SourceIp	Filters access by IP range	String

Supported condition operators

Condition operator	Description
`StringEquals`	Exact matching, case sensitive
`StringNotEquals`	Negated matching, case sensitive
`StringEqualsIgnoreCase`	Exact matching, ignoring case
`StringNotEqualsIgnoreCase`	Negated matching, ignoring case
`StringLike`	Case-sensitive matching. The values can include multi-character match wildcards (*) and single-character match wildcards (?) anywhere in the string. Specify wildcards to achieve partial string matches.
`StringNotLike`	Negated case-sensitive matching. The values can include multi-character match wildcards (*) or single-character match wildcards (?) anywhere in the string.
`NumericEquals`	Exact matching
`NumericNotEquals`	Negated matching
`NumericLessThan`	"Less than" matching
`NumericLessThanEquals`	"Less than or equals" matching
`NumericGreaterThan`	"Greater than" matching
`NumericGreaterThanEquals`	"Greater than or equals" matching
`DateEquals`	Matching a specific date
`DateNotEquals`	Negated matching
`DateLessThan`	Matching before a specific date and time
`DateLessThanEquals`	Matching at or before a specific date and time
`DateGreaterThan`	Matching after a specific a date and time
`DateGreaterThanEquals`	Matching at or after a specific date and time
`BinaryEquals`	Matching in binary format. It compares the value of the specified key byte for byte against a base-64 encoded representation of the binary value. If the specified key is not present in the request context, the values do not match.
`IpAddress`	Matching the specified IP address or range
`NotIpAddress`	Matching all IP addresses except the specified IP address or range

To learn more about condition operators, refer to the AWS Identity and Access Management User Guide.