Skip to main content

Managing bucket policies

[product_name] uses Policy-Based Access Control (PBAC) to manage user permissions by defining the actions and resources that authenticated users can access. Each policy specifies one or more actions and conditions that outline the permissions for a user or group of users. Only the bucket owner can attach a policy to a bucket, and the permissions specified in the policy apply to all objects in the bucket owned by the bucket owner.

The bucket owner retains ownership of all objects in the bucket and manages access exclusively through policies. Bucket policies are written using the JSON-based AWS Identity and Access Management (IAM) policy language, consisting of the following core elements:

Statement The primary component of a policy, defining the permissions and containing other elements such as principals, resources, actions, and effects. Policies often include an array of statements. Statement ID (Sid) A unique identifier assigned to each policy statement. Effect Specifies whether the policy allows or denies an action. If no explicit permission is granted, the policy automatically denies access by default. Action Lists the specific S3 actions that the policy permits or denies. Principal Identifies the user, entity, or account granted permissions within the statement. Resource Specifies the S3 bucket or objects to which the policy applies. Condition (optional) Defines additional restrictions or requirements under which the policy applies. Version (optional) Indicates the policy language version in use.

[product_name] supports the following S3 actions, condition keys, and condition operators for bucket policies:

Supported S3 actions

Action Access level Resource Description Condition keys [s3:GetObject](https://docs.aws.amazon.com/AmazonS3/latest/API/API_GetObject) Read Object Grants permission to retrieve objects from a bucket

  • s3:authType

  • s3:signatureAge

  • s3:signatureversion

  • s3:TlsVersion

  • s3:x-amz-content-sha256

  • aws:SourceIp [s3:GetObjectAcl](https://docs.aws.amazon.com/AmazonS3/latest/API/API_GetObjectAcl) Read Object Grants permission to return the access control list (ACL) of an object

  • s3:authType

  • s3:signatureAge

  • s3:signatureversion

  • s3:TlsVersion

  • s3:x-amz-content-sha256

  • aws:SourceIp [s3:GetObjectVersion](https://docs.aws.amazon.com/AmazonS3/latest/API/API_GetObject) Read Object Grants permission to retrieve a specific version of an object

  • s3:authType

  • s3:signatureAge

  • s3:signatureversion

  • s3:TlsVersion

  • s3:versionid

  • s3:x-amz-content-sha256

  • aws:SourceIp [s3:GetObjectVersionAcl](https://docs.aws.amazon.com/AmazonS3/latest/API/API_GetObjectAcl) Read Object Grants permission to return the access control list (ACL) of a specific object version

  • s3:authType

  • s3:signatureAge

  • s3:signatureversion

  • s3:TlsVersion

  • s3:versionid

  • s3:x-amz-content-sha256

  • aws:SourceIp [s3:ListMultipartUploadParts](https://docs.aws.amazon.com/AmazonS3/latest/API/API_ListParts) List Object Grants permission to list the parts that have been uploaded for a specific multipart upload

  • s3:authType

  • s3:signatureAge

  • s3:signatureversion

  • s3:TlsVersion

  • s3:versionid

  • s3:x-amz-content-sha256

  • aws:SourceIp [s3:ListBucket](https://docs.aws.amazon.com/AmazonS3/latest/API/API_ListObjectsV2) List Bucket Grants permission to list some or all of the objects in a bucket (up to 1000).

  • s3:authType

  • s3:max-keys

  • s3:prefix

  • s3:signatureAge

  • s3:signatureversion

  • s3:TlsVersion

  • s3:x-amz-content-sha256

  • aws:SourceIp [s3:ListBucketMultipartUploads](https://docs.aws.amazon.com/AmazonS3/latest/API/API_ListMultipartUploads) List Bucket Grants permission to list in-progress multipart uploads

  • s3:authType

  • s3:signatureAge

  • s3:signatureversion

  • s3:TlsVersion

  • s3:x-amz-content-sha256

  • aws:SourceIp [s3:ListBucketVersions](https://docs.aws.amazon.com/AmazonS3/latest/API/API_ListObjectVersions) List Bucket Grants permission to list metadata about all the versions of objects in a bucket

  • s3:authType

  • s3:max-keys

  • s3:prefix

  • s3:signatureAge

  • s3:signatureversion

  • s3:TlsVersion

  • s3:x-amz-content-sha256

  • aws:SourceIp [s3:GetBucketAcl](https://docs.aws.amazon.com/AmazonS3/latest/API/API_GetBucketAcl) Read Bucket Grants permission to use the acl subresource to return the access control list (ACL) of a bucket

  • s3:authType

  • s3:signatureAge

  • s3:signatureversion

  • s3:TlsVersion

  • s3:x-amz-content-sha256

  • aws:SourceIp [s3:GetBucketCORS](https://docs.aws.amazon.com/AmazonS3/latest/API/API_GetBucketCors) Read Bucket Grants permission to return the CORS configuration information set for a bucket

  • s3:authType

  • s3:signatureAge

  • s3:signatureversion

  • s3:TlsVersion

  • s3:x-amz-content-sha256

  • aws:SourceIp [s3:GetBucketLocation](https://docs.aws.amazon.com/AmazonS3/latest/API/API_GetBucketLocation) Read Bucket Grants permission to return the region that a bucket resides in

  • s3:authType

  • s3:signatureAge

  • s3:signatureversion

  • s3:TlsVersion

  • s3:x-amz-content-sha256

  • aws:SourceIp [s3:GetBucketLogging](https://docs.aws.amazon.com/AmazonS3/latest/API/API_GetBucketLogging) Read Bucket Grants permission to return the logging status of a bucket and the permissions users have to view or modify that status

  • s3:authType

  • s3:signatureAge

  • s3:signatureversion

  • s3:TlsVersion

  • s3:x-amz-content-sha256

  • aws:SourceIp [s3:GetBucketNotification](https://docs.aws.amazon.com/AmazonS3/latest/API/API_GetBucketNotification) Read Bucket Grants permission to get the notification configuration of a bucket

  • s3:authType

  • s3:signatureAge

  • s3:signatureversion

  • s3:TlsVersion

  • s3:x-amz-content-sha256

  • aws:SourceIp [s3:GetBucketPolicy](https://docs.aws.amazon.com/AmazonS3/latest/API/API_GetBucketPolicy) Read Bucket Grants permission to return the policy of the specified bucket

  • s3:authType

  • s3:signatureAge

  • s3:signatureversion

  • s3:TlsVersion

  • s3:x-amz-content-sha256

  • aws:SourceIp [s3:GetBucketVersioning](https://docs.aws.amazon.com/AmazonS3/latest/API/API_GetBucketVersioning) Read Bucket Grants permission to return the versioning state of a bucket

  • s3:authType

  • s3:signatureAge

  • s3:signatureversion

  • s3:TlsVersion

  • s3:x-amz-content-sha256

  • aws:SourceIp [s3:GetBucketWebsite](https://docs.aws.amazon.com/AmazonS3/latest/API/API_GetBucketWebsite) Read Bucket Grants permission to return the website configuration for a bucket

  • s3:authType

  • s3:signatureAge

  • s3:signatureversion

  • s3:TlsVersion

  • s3:x-amz-content-sha256

  • aws:SourceIp [s3:GetLifecycleConfiguration](https://docs.aws.amazon.com/AmazonS3/latest/API/API_GetBucketLifecycleConfiguration) Read Bucket Grants permission to return the lifecycle configuration information set on a bucket

  • s3:authType

  • s3:signatureAge

  • s3:signatureversion

  • s3:TlsVersion

  • s3:x-amz-content-sha256

  • aws:SourceIp [s3:GetReplicationConfiguration](https://docs.aws.amazon.com/AmazonS3/latest/API/API_GetBucketReplication) Read Bucket Grants permission to get the replication configuration information set on a bucket

  • s3:authType

  • s3:signatureAge

  • s3:signatureversion

  • s3:TlsVersion

  • s3:x-amz-content-sha256

  • aws:SourceIp [s3:PutObject](https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutObject) Write Object Grants permission to add an object to a bucket

  • s3:authType

  • s3:signatureAge

  • s3:signatureversion

  • s3:TlsVersion

  • s3:x-amz-acl

  • s3:x-amz-content-sha256

  • s3:x-amz-copy-source

  • s3:x-amz-grant-full-control

  • s3:x-amz-grant-read

  • s3:x-amz-grant-read-acp

  • s3:x-amz-grant-write

  • s3:x-amz-grant-write-acp

  • s3:x-amz-storage-class

  • s3:x-amz-website-redirect-location

  • s3:object-lock-mode

  • s3:object-lock-retain-until-date

  • s3:object-lock-remaining-retention-days

  • s3:object-lock-legal-hold

  • aws:SourceIp [s3:DeleteObject](https://docs.aws.amazon.com/AmazonS3/latest/API/API_DeleteObject) Write Object Grants permission to remove the null version of an object and insert a delete marker, which becomes the current version of the object

  • s3:authType

  • s3:signatureAge

  • s3:signatureversion

  • s3:TlsVersion

  • s3:x-amz-content-sha256

  • aws:SourceIp [s3:DeleteObjectVersion](https://docs.aws.amazon.com/AmazonS3/latest/API/API_DeleteObject) Write Object Grants permission to remove a specific version of an object

  • s3:authType

  • s3:signatureAge

  • s3:signatureversion

  • s3:TlsVersion

  • s3:versionid

  • s3:x-amz-content-sha256

  • aws:SourceIp [s3:AbortMultipartUpload](https://docs.aws.amazon.com/AmazonS3/latest/API/API_AbortMultipartUpload) Write Object Grants permission to abort a multipart upload

  • s3:authType

  • s3:signatureAge

  • s3:signatureversion

  • s3:TlsVersion

  • s3:x-amz-content-sha256

  • aws:SourceIp [s3:DeleteBucket](https://docs.aws.amazon.com/AmazonS3/latest/API/API_DeleteBucket) Write Bucket Grants permission to delete the bucket named in the URI

  • s3:authType

  • s3:signatureAge

  • s3:signatureversion

  • s3:TlsVersion

  • s3:x-amz-content-sha256

  • aws:SourceIp [s3:PutBucketCORS](https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketCors) Write Bucket Grants permission to set the CORS configuration for a bucket

  • s3:authType

  • s3:signatureAge

  • s3:signatureversion

  • s3:TlsVersion

  • s3:x-amz-content-sha256

  • aws:SourceIp [s3:PutBucketLogging](https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketLogging) Write Bucket Grants permission to set the logging parameters for a bucket

  • s3:authType

  • s3:signatureAge

  • s3:signatureversion

  • s3:TlsVersion

  • s3:x-amz-content-sha256

  • aws:SourceIp [s3:PutBucketNotification](https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketNotification) Write Bucket Grants permission to receive notifications when certain events happen in a bucket

  • s3:authType

  • s3:signatureAge

  • s3:signatureversion

  • s3:TlsVersion

  • s3:x-amz-content-sha256

  • aws:SourceIp [s3:PutBucketRequestPayment](https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketRequestPayment) Write Bucket Grants permission to set the request payment configuration of a bucket

  • s3:authType

  • s3:signatureAge

  • s3:signatureversion

  • s3:TlsVersion

  • s3:x-amz-content-sha256

  • aws:SourceIp [s3:PutBucketVersioning](https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketVersioning) Write Bucket Grants permission to set the versioning state of an existing bucket

  • s3:authType

  • s3:signatureAge

  • s3:signatureversion

  • s3:TlsVersion

  • s3:x-amz-content-sha256

  • aws:SourceIp [s3:PutBucketWebsite](https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketWebsite) Write Bucket Grants permission to set the configuration of the website that is specified in the website subresource

  • s3:authType

  • s3:signatureAge

  • s3:signatureversion

  • s3:TlsVersion

  • s3:x-amz-content-sha256

  • aws:SourceIp [s3:PutLifecycleConfiguration](https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketLifecycleConfiguration) Write Bucket Grants permission to create a new lifecycle configuration for the bucket or replace an existing lifecycle configuration

  • s3:authType

  • s3:signatureAge

  • s3:signatureversion

  • s3:TlsVersion

  • s3:x-amz-content-sha256

  • aws:SourceIp [s3:PutReplicationConfiguration](https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketReplication) Write Bucket Grants permission to create a new replication configuration or replace an existing one

  • s3:authType

  • s3:signatureAge

  • s3:signatureversion

  • s3:TlsVersion

  • s3:x-amz-content-sha256

  • aws:SourceIp [s3:PutBucketPolicy](https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketPolicy) Access management Bucket Grants permission to add or replace a bucket policy on a bucket

  • s3:authType

  • s3:signatureAge

  • s3:signatureversion

  • s3:TlsVersion

  • s3:x-amz-content-sha256

  • aws:SourceIp [s3:DeleteBucketPolicy](https://docs.aws.amazon.com/AmazonS3/latest/API/API_DeleteBucketPolicy) Access management Bucket Grants permission to delete the policy on a specified bucket

  • s3:authType

  • s3:signatureAge

  • s3:signatureversion

  • s3:TlsVersion

  • s3:x-amz-content-sha256

  • aws:SourceIp [s3:PutObjectAcl](https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutObjectAcl) Access management Object Grants permission to set the access control list (ACL) permissions for new or existing objects in a bucket

  • s3:authType

  • s3:signatureAge

  • s3:signatureversion

  • s3:TlsVersion

  • s3:x-amz-acl

  • s3:x-amz-content-sha256

  • s3:x-amz-grant-full-control

  • s3:x-amz-grant-read

  • s3:x-amz-grant-read-acp

  • s3:x-amz-grant-write

  • s3:x-amz-grant-write-acp

  • s3:x-amz-storage-class

  • aws:SourceIp [s3:PutObjectVersionAcl](https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutObjectAcl) Access management Object Grants permission to use the acl subresource to set the access control list (ACL) permissions for an object that already exists in a bucket

  • s3:authType

  • s3:signatureAge

  • s3:signatureversion

  • s3:TlsVersion

  • s3:versionid

  • s3:x-amz-acl

  • s3:x-amz-content-sha256

  • s3:x-amz-grant-full-control

  • s3:x-amz-grant-read

  • s3:x-amz-grant-read-acp

  • s3:x-amz-grant-write

  • s3:x-amz-grant-write-acp

  • s3:x-amz-storage-class

  • aws:SourceIp [s3:PutBucketAcl](https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketAcl) Access management Bucket Grants permission to set the permissions on an existing bucket using access control lists (ACLs)

  • s3:authType

  • s3:signatureAge

  • s3:signatureversion

  • s3:TlsVersion

  • s3:x-amz-acl

  • s3:x-amz-content-sha256

  • s3:x-amz-grant-full-control

  • s3:x-amz-grant-read

  • s3:x-amz-grant-read-acp

  • s3:x-amz-grant-write

  • s3:x-amz-grant-write-acp

  • aws:SourceIp Supported condition keys

Condition key Description Value s3:x-amz-storage-class Filters access by storage class String s3:x-amz-acl Filters access by canned ACL in the request's x-amz-acl header String s3:x-amz-grant-full-control Filters access by x-amz-grant-full-control (full control) header String s3:x-amz-grant-read Filters access by x-amz-grant-read (read access) header String s3:x-amz-grant-read-acp Filters access by the x-amz-grant-read-acp (read permissions for the ACL) header String s3:x-amz-grant-write Filters access by the x-amz-grant-write (write access) header String s3:x-amz-grant-write-acp Filters access by the x-amz-grant-write-acp (write permissions for the ACL) header String s3:x-amz-copy-source Filters access by copy source bucket, prefix, or object in the copy object requests String s3:TlsVersion Filters access by the TLS version used by the client Valid values: 1.2, 1.1, and 1.0 s3:x-amz-content-sha256 Filters access by unsigned content in your bucket Valid value: UNSIGNED-PAYLOAD s3:signatureversion Filters access by the version of AWS Signature used on the request Valid values:

  • AWS identifies Signature Version 2

  • AWS4-HMAC-SHA256 identifies Signature Version 4 s3:signatureAge Filters access by the age in milliseconds of the request signature Numeric s3:authType Filters access by authentication method Valid values:

REST-HEADER,

REST-QUERY-STRING,

and POST s3:x-amz-website-redirect-location Filters access by a specific website redirect location for buckets that are configured as static websites String s3:object-lock-mode Filters access by object retention mode Valid values: COMPLIANCE and GOVERNANCE s3:object-lock-retain-until-date Filters access by object retain-until date Date s3:object-lock-legal-hold Filters access by object legal hold status String s3:object-lock-remaining-retention-days Filters access by remaining object retention days Numeric s3:prefix Filters access by key name prefix String s3:versionid Filters access by a specific object version String s3:max-keys Filters access by maximum number of keys returned in a ListBucket request Numeric aws:SourceIp Filters access by IP range String Supported condition operators

Condition operator Description StringEquals Exact matching, case sensitive StringNotEquals Negated matching, case sensitive StringEqualsIgnoreCase Exact matching, ignoring case StringNotEqualsIgnoreCase Negated matching, ignoring case StringLike Case-sensitive matching. The values can include multi-character match wildcards () and single-character match wildcards (?) anywhere in the string. Specify wildcards to achieve partial string matches. StringNotLike Negated case-sensitive matching. The values can include multi-character match wildcards () or single-character match wildcards (?) anywhere in the string. NumericEquals Exact matching NumericNotEquals Negated matching NumericLessThan "Less than" matching NumericLessThanEquals "Less than or equals" matching NumericGreaterThan "Greater than" matching NumericGreaterThanEquals "Greater than or equals" matching DateEquals Matching a specific date DateNotEquals Negated matching DateLessThan Matching before a specific date and time DateLessThanEquals Matching at or before a specific date and time DateGreaterThan Matching after a specific a date and time DateGreaterThanEquals Matching at or after a specific date and time BinaryEquals Matching in binary format. It compares the value of the specified key byte for byte against a base-64 encoded representation of the binary value. If the specified key is not present in the request context, the values do not match. IpAddress Matching the specified IP address or range NotIpAddress Matching all IP addresses except the specified IP address or range

To learn more about condition operators, refer to the AWS Identity and Access Management User Guide.

Was this page helpful?