General information about bucket policies

Access to a bucket can be set through a Bucket Policy. A policy consists of rules that allow or prohibit actions with a resource (a bucket or a group of objects) for all or selected users. The basic principle is that if a policy is created, everything that is not allowed is prohibited.

Bucket Policy applies to any authorized access. Authorized access is considered to be viewing and managing buckets and their objects through the control panel and API. Unauthorized access is considered to be requests to objects in public buckets via the public bucket domain or custom domains.

The Bucket Policy has a maximum size limit of 20 KB.

Bucket Policy can apply to any user who is allowed access to the storage according to the role model, and also defines access for users with s3.user, s3.bucket.user, and object_storage_user roles. For more information about the interaction between the role model and access policies, see the Managing Access in S3 guide.

Bucket policies can be managed by the Account Owner and users with the member role. If a user with the member role has the Projects access area selected, the corresponding project must be added to their permission.

Access policies can be created and managed in the control panel or via S3 API in accordance with the policy structure requirements.

Bucket Policy structure

The Bucket Policy has a JSON structure. Example policy:

{
  "Id": "my-bucket-policy",
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "AllowObjectDeletion",
      "Effect": "Allow",
      "Principal": {
          "AWS": [
             "*"
          ]
      },
      "Action": [
        "s3:DeleteObject"
      ],
      "Resource": [
        "arn:aws:s3:::bucket-name",


        "arn:aws:s3:::bucket-name/*",


        "arn:aws:s3:::bucket-name/${aws:userid}/*"


      ],
      "Condition": {
        "StringEquals": {
          "aws:UserAgent": [
            "storage-test-user-agent"
          ]
        }
      }
    },
    {
      "Effect": "Deny",
      "Principal": "*",
      "Action": "s3:GetObject",
      "Resource": "arn:aws:s3:::bucket-name/*"


    }
  ]
}

Policy content:

Field	Description	Data type	Required
Id	Policy identifier, can be anything	String	✗
Version	Bucket Policy version, value is a constant: "2012-10-17"	String	✓
Statement	Array of rules	Array	✓
Sid	Rule name	String	✗
Effect	Rule type (Allow or Deny)	String	✓
Principal:AWS	Users (specific user identifiers or * for all users)	Array of strings or string	✓
Actions	Actions or * for all actions	Array of strings or string	✓
Resources	Resources to which the rule applies	Array of strings or string	✓
Condition	Array of conditions presented in the following format: [operator]:[key]:[array of key values]	Array	✗

Rules

There are two types of rules: allow (Allow) and deny (Deny).

The allow or deny rule applies to actions, resources, and users added to the rule.

If a policy contains several rules, they are applied as follows:

• if at least one allow rule is met, access will be allowed;
• if at least one deny rule is met, access will be denied;
• if both allow and deny rules are met, access will be denied;
• if no rules are met, access will be denied.

Users

The rule applies to requests from principals (users):

• for authorized requests from specific users, specify user identifiers (you can view the service user identifier in the control panel);
• for all authorized requests, indicated by the * symbol.

You can only add users with access to the control panel as principals when configuring a policy through the control panel.

Resources

Resources are a bucket or a set of objects to which the rule applies. You can only specify resources associated with the bucket for which the policy is being configured.

Resources can be specified in the following formats:

• arn:aws:s3:::<bucket-name> — bucket resource, you can only specify one resource of this format (the bucket for which the policy is being configured). The resource will work for actions related to bucket configuration and does not apply to its objects ;
• arn:aws:s3:::<bucket-name>/<prefix> — bucket object resource, where <prefix> — the prefix the rule will apply to. If you specify *, all bucket objects will be included in the resources ;
• arn:aws:s3:::<bucket-name>/${<variable-name>} — bucket object resource, where <variable-name> — the name of the wildcard variable (key) that acts as a prefix.

Actions

If you specify *, all actions will be included in the rule.

s3:AbortMultipartUpload	Aborting multiparts upload of an object via S3 API
s3:DeleteBucket	Deleting a bucket
s3:DeleteObject	Deleting an object
s3:DeleteObjectVersion	Deleting an object version
s3:GetBucketCORS	Getting the CORS configuration of a bucket
s3:GetBucketLocation	Getting the pool where the bucket is located
s3:GetBucketVersioning	Getting bucket versioning information (whether it is enabled or not)
s3:GetObject	Reading an object
s3:GetObjectVersion	Reading a specific object version
s3:ListBucket	Reading a list of objects in a bucket (all or some)
s3:ListBucketMultipartUploads	Reading the list of objects in the process of multipart upload via S3 API
s3:ListBucketVersions	Reading metadata of all object versions in a bucket
s3:ListMultipartUploadParts	Reading the list of uploaded object parts during multipart upload via S3 API
s3:PutBucketCORS	Setting bucket CORS configuration
s3:PutBucketVersioning	Enabling or disabling bucket versioning
s3:PutObject	Adding an object to a bucket (upload or copy)
s3:GetObjectRetention	Getting object temporary lock information
s3:GetObjectLegalHold	Getting object indefinite lock information
s3:GetBucketObjectLockConfiguration	Obtaining Object Lock status and default locking in the bucket
s3:PutObjectRetention	Managing object temporary hold, except for disabling the lock
s3:PutObjectLegalHold	Managing object indefinite hold
s3:PutBucketObjectLockConfiguration	Setting Object Lock and default locking in the bucket
s3:BypassGovernanceRetention	Bypassing Governance-mode lock to delete an object, edit expiration date, or change the temporary hold mode

Conditions

A condition defines when a rule will work. A condition consists of a key, an operator, and a value.

If setting a condition results in a true value, the condition is satisfied.

Keys

A single key can be used in several conditions. A key can be assigned several values.

aws:CurrentTime	Compares the date and time of the request with the value specified in the condition
aws:Referer	Compares the Referer header in the request with the value specified in the condition. Example: https://example.com/
aws:PrincipalType	Specifies the type of entity to which the request is made. Possible values: Account; User; AssumedRole; Anonymous
aws:SecureTransport	Checks if the request was sent using SSL/TLS encryption. Possible values: true or false
aws:SourceIp	Compares the IP address from the request with the value from the condition
aws:UserAgent	Compares the UserAgent from the request with the value from the condition. Example values: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:47.0); Gecko/20100101; Firefox/47.0
aws:userid	Compares the user identifier with the value from the condition. Example value: 9103a81de217448d908e53ac60c84acb
aws:username	Compares the user name with the value from the condition
s3:authType	Restricts incoming requests to the authentication method specified in the condition. Example values: REST-HEADER; REST-QUERY-STRING; POST
s3:delimiter	Sets the delimiter that must be included in user requests. Example value: /
s3:max-keys	Sets the maximum number of keys returned per ListBucket request
s3:prefix	Restricts access by the prefix in the key name
s3:signatureAge	Determines the lifetime of the signature in the authentication request (in milliseconds)
s3:signatureversion	Sets the AWS signature version for authentication requests. Example values: AWS; AWS4-HMAC-SHA256
s3:versionid	Sets access to a specific object version. Example value: L4kqtJlcpXroDTDmpUMLUo
s3:x-amz-content-sha256	Prohibits unsigned content in the request
s3:x-amz-copy-source	Restricts copy source to a specific bucket, prefix, or object
s3:x-amz-metadata-directive	Sets a forced choice of copying or replacing when copying objects
s3:x-amz-server-side-encryption	Requires server-side encryption
s3:x-amz-storage-class	Restricts access by storage class
s3:object-lock-legal-hold	Restricts access by object indefinite hold status. Possible hold status values: ON; OFF
s3:object-lock-mode	Restricts access by object lock mode. Possible lock mode values: GOVERNANCE; COMPLIANCE
s3:object-lock-remaining-retention-days	Restricts access by the number of days remaining on the object lock
s3:object-lock-retain-until-date	Restricts access by object lock expiration date
s3:if-match	Requires that the current ETag of the object matches the one specified in the request
s3:if-none-match	Requires that the current ETag of the object does not match the one specified in the request

Operators

Operators compare values from the resource request with the value specified in the key value in the condition.

Numbers

The number from the request is compared with the number specified in the condition.

NumericEquals	Value is equal to the one specified in the condition
NumericGreaterThan	Value is greater than the one specified in the condition
NumericGreaterThanEquals	Value is greater than or equal to the one specified in the condition
NumericLessThan	Value is less than the one specified in the condition
NumericLessThanEquals	Value is less than or equal to the one specified in the condition
NumericNotEquals	Value is not equal to the one specified in the condition

Strings

The string from the request is compared with the string specified in the condition.

StringEquals	Value matches the one specified in the condition (case-sensitive)
StringEqualsIgnoreCase	Value matches the one specified in the condition (case-insensitive)
StringLike	Value matches the pattern specified in the condition. Use wildcard characters: * — for multiple characters; — for a single character
StringNotEqualsThan	Value does not match the one specified in the condition (case-sensitive)
StringNotEqualsIgnoreCase	Value does not match the one specified in the condition (case-insensitive)
StringNotLike	Value does not match the pattern specified in the condition. Use wildcard characters: * — for multiple characters; — for a single character

Date and time

The date and time from the request are compared with the date and time specified in the condition.

DateEquals	Matches the specified date
DateGreaterThan	Matches a date later than the specified one
DateGreaterThanEquals	Matches the specified date or a later date
DateLessThan	Matches a date earlier than the specified one
DateLessThanEquals	Matches the specified date or an earlier date
DateNotEquals	Does not match the specified date

IP addresses

The IP address in CIDR format from the request is compared with the IP address from the condition.

IPAddress	Key value matches the specified IP address or is within the address range
NotIPAddress	Key value does not match the specified IP address or is not within the address range

Bool

The Bool operator compares the boolean value from the request (true or false) with the value from the key.

The condition is satisfied if the value from the request matches the value from the condition.

IfExists

The IfExists operator allows you to relax the condition if the key specified in the condition is missing from the request.

IfExists can only be used in conjunction with other operators (except Null). Addition format: <operator-name>IfExists — for example, StringEqualsIfExists.

The data type corresponds to the data type of the operator to which IfExists is added.

The satisfaction of the condition with IfExists depends on whether the key from the request is present in the condition.

• if the key is present, the condition is processed according to the rules of the operator with which IfExists was used and can take the value true or false;
• if the key is missing, the condition takes the value true.

Null

The Null operator checks for the presence of the key from the request in the condition.

Data type is boolean.

The condition with the Null operator is satisfied:

• if the key from the condition is missing in the request;
• if the key is present in the request but its value is not specified.