General information about bucket policies

Access to a bucket can be set through an access policy (Bucket policy).A policy consists of rules that allow or deny actions with a resource (a bucket or a group of objects) for all or selected principals (users).The basic principle is that if an access policy is created, everything that is not allowed is prohibited.

The access policy works for any authorized access.Authorized access is considered to be viewing and managing bucket and its objects through the control panel and API.Unauthorized access is considered to be requests to objects in public bucket by public bucket domain or user dom ains.

The Bucket Policy has a maximum size limit of 20 KB.

The access policy can apply to any user who is allowed access to the repository according to the role model, and also defines access for users with roles s3.user, s3.bucket.user and object_storage_user.For more information about the interaction between the role model and access policies, see the Managing Access in S3 tutorial.

Access policies can be managed by the Account Owner and users with the role of member.If a user with the member role has the Projects access area selected, the corresponding project must be added to the user's permission.

Create and manage access policies You can create and manage them in the control panel or via the S3 API according to the requirements of the policy structure. policy structure.

Bucket Policy structure

The Bucket Policy has a JSON structure. Example policy:

{
  "Id": "my-bucket-policy",
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "AllowObjectDeletion",
      "Effect": "Allow",
      "Principal": {
          "AWS": [
             "*"
          ]
      },
      "Action": [
        "s3:DeleteObject"
      ],
      "Resource": [
        "arn:aws:s3:::bucket-name",


        "arn:aws:s3:::bucket-name/*",


        "arn:aws:s3:::bucket-name/${aws:userid}/*"


      ],
      "Condition": {
        "StringEquals": {
          "aws:UserAgent": [
            "storage-test-user-agent"
          ]
        }
      }
    },
    {
      "Effect": "Deny",
      "Principal": "*",
      "Action": "s3:GetObject",
      "Resource": "arn:aws:s3:::bucket-name/*"


    }
  ]
}

Policy Content:

Field	Description	Data type	Mandatory
Id	Policy identifier, can be any	String	✗
Version	Bucket Policy version, value is a constant: "2012-10-17"	String	✓
Statement	Array of rules	Array	✓
Sid	Name of the rule	String	✗
Effect	Rule type (Allow or Deny)	String	✓
Principal:AWS	Principals (user IDs or * for all requests)	Array of strings or string	✓
Actions	Actions or * for all actions	Array of string whether string	✓
Resources	Resources subject to the rule	Array of strings or string	✓
Condition	An array of conditions represented in the format : [operator]:[key]:[array of key values].	Array	✗

Rules

Rules are of two types: Allow (Allow) and Deny (Deny).

The authorization or prohibition applies to the actions, resources, and principals added to the rule.

If a policy contains multiple rules, they are applied as follows:

• if at least one permissive rule is met, access will be allowed;
• if at least one deny rule is executed, access will be denied;
• if both permissive and deny rules are executed simultaneously, access will be denied;
• if no rule is executed, access will be denied.

Principals

The rule applies to requests from principals (users):

• user identifiers are specified for authorized requests of certain users ((( you can view the service user identifier in the control panel);
• to all authorized and unauthorized requests, indicated by the * symbol.

You can only add users with control panel access as principals when configuring the policy through the control panel.

Resources

Resources - a bucket or a set of objects to which the rule will apply. Only resources related to the bucket for which the policy is configured can be specified.

Resources can be specified in formats:

• arn:aws:s3:::<bucket-name> - bucket resource, you can specify only one resource of this format (the bucket for which the policy is configured). The resource will work for actions The resource will work for actions related to customizing the bucket, and does not apply to its objects;
• arn:aws:s3:::<bucket-name>/<prefix> - bucket object resource, where <prefix> - is the prefix to which objects the rule will apply. If you specify *, all bucket objects will be included in the resources;
• arn:aws:s3::::<bucket-name>/${<variable-name>} - bucket object resource, where <variable-name> - is the name of a wildcard variable (key), which acts as a prefix.

Actions

If you specify *, all actions will be included in the rule.

s3:AbortMultipartUpload	Interrupting segmented object loading via S3 API
s3:DeleteBucket	Bacet removal
s3:DeleteObject	Deleting an object
s3:DeleteObjectVersion	Deleting a version of an object
s3:GetBucketCORS	Obtaining CORS-configuration of the bacterium
s3:GetBucketLocation	Obtaining the pool in which the bucket is located
s3:GetBucketVersioning	Obtaining information about versioning of the buckets (enabled or not)
s3:GetObject	Reading an object
s3:GetObjectVersion	Reading a specific version of an object
s3:ListBucket	Reading the list of objects in the bucket (all or some of them)
s3:ListBucketMultipartUploads	Reading the list of objects that are in the process of segmented loading via S3 API
s3:ListBucketVersions	Reading metadata of all versions of objects in the batch
s3:ListMultipartUploadParts	Reading the list of loaded object parts during segmented loading via S3 API
s3:PutBucketCORS	Setting the CORS configuration of the tank
s3:PutBucketVersioning	Connecting and disconnecting the versioning of the baket
s3:PutObject	Adding an object to the tank (loading or copying)
s3:GetObjectRetention	Obtaining information about temporary blocking of the object
s3:GetObjectLegalHold	Obtaining information on indefinite object locking
s3:GetBucketObjectLockConfiguration	Obtaining Object Lock status and default locking in the baquette
s3:PutObjectRetention	Controlling the temporary object locking except for deactivating the interlock
s3:PutObjectLegalHold	Management of indefinite object lockout
s3:PutBucketObjectLockConfiguration	Setting Object Lock and Default Lock in the baketree
s3:BypassGovernanceRetention	Bypassing Governance-locking to delete an object, edit a deadline, or time-lock mode

Terms and conditions

A condition defines in which cases the rule will work. A condition consists of a key, an operator and a value.

If the condition returns true, the condition is satisfied.

Keys

One key can be used in multiple conditions. Multiple values can be assigned to a key.

aws:CurrentTime	Compares the date and time of the request to the value specified in the condition
aws:Referer	Compares the Referer header in the request to the value specified in the condition. Example: https://example.com/
aws:PrincipalType	Specifies the type of entity being queried. Possible values: Accounts; User; AssumedRole; Anonymous
aws:SecureTransport	Checks if the request was sent using SSL/TLS encryption. Possible values: true or false
aws:SourceIp	Compares the IP address from the request with the value from the condition
aws:UserAgent	Compares the UserAgent from the query with the value from the condition. Examples of values: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:47.0); Gecko/20100101; Firefox/47.0.
aws:userid	Compares the user ID with the value from the condition. Example value: 9103a81de217448d908e53ac60c84acb
aws:username	Compares the username with the value from the condition
s3:authType	Restricts incoming requests to the authentication method specified in the condition. Examples of values: REST-HEADER; REST-QUERY-STRING; POST
s3:delimiter	Specifies the delimiter that user requests should include. Example value: /
s3:max-keys	Sets the maximum number of keys returned on a ListBucket query
s3:prefix	Restricts access by prefix in the key name
s3:signatureAge	Determines the validity time of the signature in the authentication request (in milliseconds)
s3:signatureversion	Specifies the AWS signature version for authentication requests. Examples of values: AWS; AWS4-HMAC-SHA256
s3:versionid	Specifies access to a specific version of the object. Example value: L4kqtJlcpXroDTDDmpUMLUo
s3:x-amz-content-sha256	Prohibits unsigned content in the request
s3:x-amz-copy-source	Restricts the copy source to a specific bucket, prefix, or object
s3:x-amz-metadata-directive	Sets the forced selection of copy or replace when copying objects
s3:x-amz-server-side-encryption	Requires server-side encryption
s3:x-amz-storage-class	Restricts access by storage class
s3:object-lock-legal-hold	Restricts access by the indefinite lock status of the object. Possible lock status values: ON; OFF
s3:object-lock-mode	Restricts access by object lock mode. Possible lock mode values: GOVERNANCE; COMPLIANCE
s3:object-lock-remaining-retention-days	Limits access based on the number of days remaining on the object's lockdown
s3:object-lock-retain-until-date	Restricts access by object lockout period

Operators

The operators compare the values from the resource request to the value specified in the key value in the condition.

Numbers

The number from the query is compared to the number specified in the condition.

NumericEquals	The value is equal to the value given in the condition
NumericGreaterThan	Value greater than the value specified in the condition
NumericGreaterThanEquals	Value greater than or equal to the value specified in the condition
NumericLessThan	Value less than the value specified in the condition
NumericLessThanEquals	The value is less than or equal to the value specified in the condition
NumericNotEquals	The value is not equal to the value specified in the condition

Strings

The string from the query is compared to the string specified in the condition.

StringEquals	The value corresponds to the value specified in the condition (case sensitive)
StringEqualsIgnoreCase	The value corresponds to the value specified in the condition (case insensitive)
StringLike	The value corresponds to the pattern specified in the condition. Use symbols for substitution: * - of several characters; single character
StringNotEqualsThan	Value does not match the value specified in the condition (case sensitive)
StringNotEqualsIgnoreCase	Value does not match the value specified in the condition (case insensitive)
StringNotLike	The value does not match the pattern specified in the condition. Use symbols for substitution: * - of several characters; single character

Date and time

The date and time from the query is compared to the date and time specified in the condition.

DateEquals	Corresponds to the set date
DateGreaterThan	Corresponds to a date later than the specified date
DateGreaterThanEquals	Matches the set date or later date
DateLessThan	Corresponds to a date earlier than the specified date
DateLessThanEquals	Matches the set date or earlier date
DateNotEquals	Does not correspond to the set date

IP addresses

The CIDR-formatted IP address from the request is compared to the IP address from the condition.

IPAddress	The key value corresponds to the specified IP address or is within the range of addresses
NotIPAddress	The key value does not match the specified IP address or is not in the address range

Bool

The Bool operator compares the logical value from the query (true or false) to the value from the key.

The condition is satisfied if the value from the query matches the value from the condition.

IfExists

The IfExists operator allows you to relax a condition in case the key specified in the condition is not present in the query.

IfExists can only be used in conjunction with other operators (except for Null). Addition format: <operator name>IfExists - For example, StringEqualsIfExists.

The data type corresponds to the data type of the statement to which IfExists is appended.

Satisfying a condition with IfExists depends on whether the key from the query is present in the condition:

• if the key is present, the condition is processed according to the rules of the operator with which IfExists was used and can take the value true or false;
• if the key is missing, the condition takes the value true.

Null

The Null operator checks if the key from the query exists in the condition.

The data type is boolean.

The condition with the Null operator is satisfied:

• if there is no key from the condition in the query;
• if the key is present in the query but its value is not specified.