A bucket policy allows you to assign access permissions of resources such as objects and buckets to users.
On the task console, creating, editing, and deleting a bucket policy are displayed as setting a bucket policy.
User authorization is supported within a single tenant but not across tenants.
When you set a bucket policy for buckets in bulk, the new policy will overwrite the policies already configured for the buckets. If you do not set a new policy and click OK, all bucket policies configured for the buckets will be deleted.
If you deny the permissions for all users in a bucket policy for a bucket, the bucket will become unavailable.
On the top navigation bar, click Storage, and then select Object Storage > Buckets from the navigation pane.
Select a bucket, and then click Bucket Policy.
To create a bucket policy, click Create. In the dialog box that opens, enter related information, and then click OK.
To edit a bucket policy, select the policy, and then click Edit. In the dialog box that opens, edit related information, and then click OK.
To delete a bucket policy, select the policy, and then click Delete. In the dialog box that opens, click OK.
Permitted Users: Specify permitted users. To specify multiple users, separate them by commas. To specify all users, enter an asterisk (*).
Permitted Buckets: Specify permitted buckets. To specify multiple buckets, separate them by commas. To specify all buckets, enter an asterisk (*).
Effect: Deny or allow user actions.
Action: Select the permissions to be assigned to users. For more information, see the following table:
|
Bucket access permission |
User access permission |
Remarks |
|
s3:GetObject |
READ |
Get object |
|
s3:GetObjectTorrent |
READ |
Get Torrent files from bucket |
|
s3:GetObjectVersion |
READ |
Get version control of bucket |
|
s3:GetObjectVersionTorrent |
READ |
Get other versions of Torrent files |
|
s3:GetObjectTagging |
READ |
Get the tag set of the object |
|
s3:GetObjectVersionTagging |
READ |
Get other versions of tag sets |
|
s3:ListAllMyBuckets |
READ |
Get a list of all buckets owned by the verified sender |
|
s3:ListBucket |
READ |
Return some or all (up to 1000) objects in the bucket |
|
s3:ListBucketMultipartUploads |
READ |
Get a list of ongoing multipart uploads |
|
s3:ListBucketVersions |
READ |
Get metadata about all versions of objects in the bucket |
|
s3:ListMultipartUploadParts |
READ |
Get parts uploaded for a specific multipart upload |
|
s3:AbortMultipartUpload |
WRITE |
Abort multipart upload |
|
s3:CreateBucket |
WRITE |
Create a new bucket |
|
s3:DeleteBucket |
WRITE |
Delete bucket |
|
s3:DeleteObject |
WRITE |
Delete the empty version of the object (if any), and insert a delete marker, which will become the most recent version of the object. |
|
s3:DeleteObjectVersion |
WRITE |
Delete the object version in the bucket |
|
s3:PutObject |
WRITE |
Add objects to the bucket |
|
s3:PutObjectTagging |
WRITE |
Set the provided tag set to an object that already exists in the bucket |
|
s3:PutObjectVersionTagging |
WRITE |
Set tag set for multi-version objects |
|
s3:DeleteObjectTagging |
WRITE |
Set tag set for multi-version objects |
|
s3:DeleteObjectVersionTagging |
WRITE |
Delete the entire tag set from the specified object version |
|
s3:RestoreObject |
WRITE |
Restore the archived copy of the object back to Amazon S3 |
|
s3:GetAccelerateConfiguration |
READ_ACP |
Use accelerate sub-resource to obtain the transmission acceleration status of the bucket, which is Enabled or Suspended |
|
s3:GetBucketAcl |
READ_ACP |
Use acl sub-resource to obtain bucket access control list (acl) |
|
s3:GetBucketCORS |
READ_ACP |
Get the cors configuration information set for the bucket |
|
s3:GetBucketLocation |
READ_ACP |
Get the area where the bucket is located |
|
s3:GetBucketLogging |
READ_ACP |
Get the bucket's logging status, and the user's permission to view and modify the status |
|
s3:GetBucketNotification |
READ_ACP |
Get bucket notification configuration |
|
s3:GetBucketPolicy |
READ_ACP |
Get the policy of the specified bucket |
|
s3:GetBucketRequestPayment |
READ_ACP |
Get the request payment configuration of the bucket |
|
s3:GetBucketTagging |
READ_ACP |
Get the tag set associated with the bucket |
|
s3:GetBucketVersioning |
READ_ACP |
Get the version control status of the bucket |
|
s3:GetBucketWebsite |
READ_ACP |
Get bucket website configuration |
|
s3:GetLifecycleConfiguration |
READ_ACP |
Get the life cycle configuration information set on the bucket |
|
s3:GetObjectAcl |
READ_ACP |
Get the access control list (ACL) of the object |
|
s3:GetObjectVersionAcl |
READ_ACP |
Obtain the object's access control list (ACL) for multi-version objects |
|
s3:GetReplicationConfiguration |
READ_ACP |
Get the replication configuration of the bucket |
|
s3:DeleteBucketPolicy |
WRITE_ACP |
Implement the strategy of using the strategy sub-resource to delete the specified bucket |
|
s3:DeleteBucketWebsite |
WRITE_ACP |
Delete the website configuration of the bucket |
|
s3:DeleteReplicationConfiguration |
WRITE_ACP |
Delete the replication configuration from the bucket |
|
s3:PutAccelerateConfiguration |
WRITE_ACP |
Set acceleration configuration of existing bucket (faster data transfer) |
|
s3:PutBucketAcl |
WRITE_ACP |
Use Access Control List (ACL) to set permissions on existing buckets |
|
s3:PutBucketCORS |
WRITE_ACP |
Set cors configuration for the bucket |
|
s3:PutBucketLogging |
WRITE_ACP |
Set bucket log parameters, and specify permissions for users who can view and modify log parameters |
|
s3:PutBucketNotification |
WRITE_ACP |
Enable notification of specified events for the bucket |
|
s3:PutBucketPolicy |
WRITE_ACP |
Apply amazons3 bucket policy to amazons3 bucket |
|
s3:PutBucketRequestPayment |
WRITE_ACP |
Set bucket request payment configuration |
|
s3:PutBucketTagging |
WRITE_ACP |
Set the Tagging of the bucket |
|
s3:PutBucketVersioning |
WRITE_ACP |
Set the version control status of an existing bucket |
|
s3:PutBucketWebsite |
WRITE_ACP |
WRITE_ACP sets the configuration of the website specified in the website subresource |
|
s3:PutLifecycleConfiguration |
WRITE_ACP |
Create a new lifecycle configuration for the bucket or replace an existing lifecycle configuration |
|
s3:PutObjectAcl |
WRITE_ACP |
Use acl sub-resources to set access control list (acl) permissions for objects that already exist in the bucket |
|
s3:PutObjectVersionAcl |
WRITE_ACP |
Use acl subresources to set access control list (acl) permissions for multi-version objects that already exist in the bucket. |
|
s3:PutReplicationConfiguration |
WRITE_ACP |
Create a duplicate configuration or replace an existing configuration |
Condition: Condition for the bucket policy to be effective. For more information, see the following table:
|
AWS condition keys |
Description |
Condition operator |
|
aws:CurrentTime |
This can be used for conditions that check the date and time. |
DateEquals: Matching a specific date DateNotEquals: Negated matching |
|
aws:EpochTime |
This is the date in epoch or Unix time, for use with date/time conditions. |
NumericEquals: Matching NumericNotEquals: Negated matching |
|
aws:PrincipalType |
This value indicates whether the principal is an account, user, federated, or assumed role—see the explanation that follows later. |
StringEquals: Exact matching, case sensitive StringNotEquals: Negated matching |
|
aws:Referer |
Use this key to compare who referred the request in the client browser with the referer that you specify in the policy. The aws:referer request context value is provided by the caller in an HTTP header. The Referer header is included in a web browser request when you select a link on a web page. The Referer header contains the URL of the web page where the link was selected. |
StringEquals: Exact matching, case sensitive StringNotEquals: Negated matching |
|
aws:SecureTransport |
This is a Boolean value that represents whether the request was sent using SSL. |
Bool: Boolean matching |
|
aws:SourceIp |
This is the requester's IP address, for use with IP address conditions. Refer to IP address condition operators for information about when SourceIp is valid and when you should use a VPC-specific key instead. |
IpAddress: The specified IP address or range NoipAddres: All IP addresses except the specified IP address or range |
|
aws:UserAgent |
This value is a string that contains information about the requester's client application. This string is generated by the client and can be unreliable. You can only use this context key from the AWS CLI. |
StringEquals: Exact matching, case sensitive StringNotEquals: Negated matching |
|
aws:username |
This is a string containing the friendly name of the current user—see the chart that follows. |
StringEquals: Exact matching, case sensitive StringNotEquals: Negated matching |