Bucket Policy

Bucket Policy is a JSON-based access policy language that allows you to create fine-grained permissions for your S3 buckets. With Bucket Policy, you can specify which users or services can access specific objects and what actions users can perform.

Note: Granting access to a bucket for another IONOS user does not make the bucket appear in the user's S3 web console due to the S3 protocol's architecture. To access the bucket, the user must utilize other S3 Tools as the granted access does not translate to interface visibility.

Use cases

Use this feature to grant access to a specific user or group to only a subset of the objects in your bucket.
Restrict access to certain operations on your bucket, for example, list objects or remove object lock.
Using Bucket Policy, you can grant access based on conditions, such as the IP address of the user.
Create fine-grained access control rules to allow a user to put objects to a specific prefix in your bucket, but not to get objects from that prefix.

Bucket Policy alternatives

Use Bucket ACL instead of Bucket Policy if you need to:

Define permissions in a simple way such as READ, WRITE, or FULL CONTROL.
Apply different sets of permissions to many objects.

Use Share Objects with Pre-Signed URLs for granting temporary access to authorized users for a specified period, after which the URL and the access to the object expires.

Policy format

A JSON-formatted bucket policy contains one or more policy statements. Within a policy's statement blocks, IONOS S3 Object Storage support for policy statement elements and their values is as follows:

Id (optional): A unique identifier for the policy. Example: SamplePolicyID.
Version (required): Specifies the policy language version. The current version is 2012-10-17.
Statement (required): An array of individual statements, each specifying a permission.
Sid (optional): Custom string identifying the statement. For example, Statement1 or Only allow access from specific source IPs.
Effect (required): Specifies the effect of the statement. Possible values: Allow, Deny.
Principal (required): Specifies the user, account, service, or other entity to which the statement applies.
- * – Statement applies to all users (also known as 'anonymous access').
- {"CanonicalUser": "<canonicalUserId>"} – Statement applies to the specified IONOS S3 Object Storage user.
- {"CanonicalUser": ["<canonicalUserId>", "<canonicalUserId>",...]} – Statement applies to the specified IONOS S3 Object Storage users.
Action (required): Specifies the action(s) that are allowed or denied by the statement. See section 'Supported Action Values'. Example: s3:GetObject for allowing read access to objects.
Resource (required): Must be one of the following:
- arn:aws:s3:::<bucketName> – For bucket actions (such as s3:ListBucket) and bucket subresource actions (such as s3:GetBucketAcl).
- arn:aws:s3:::<bucketName>/* or arn:aws:s3:::<bucketName>/<objectName> – For object actions (such as s3:PutObject).
Condition (optional): Specifies conditions for when the statement is in effect. See section 'Supported Condition Values'. Example: {"aws:SourceIp": "123.123.123.0/24"} restricts access to the specified IP range.

{
  "Id": "Delegate certain actions to another user",
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "Delegate certain actions to another user",
      "Action": [
        "s3:ListBucket",
        "s3:PutObject",
        "s3:GetObject"
      ],
      "Effect": "Allow",
      "Resource": [
        "arn:aws:s3:::my-bucket",
        "arn:aws:s3:::my-bucket/*"
      ],
      "Condition": {
        "IpAddress": {
          "aws:SourceIp": [
            "123.123.123.123/32"
          ]
        }
      },
      "Principal": {
        "CanonicalUser": "783fa49356820b211a4283526fe24343"
      }
    }
  ]
}

Web console

Apply a Bucket Policy

You can apply Bucket Policy using the web console by following these steps:

1. In the DCD, go to Menu > Storage > IONOS S3 Object Storage.

2. From the Buckets list, choose the required S3 bucket and click the Bucket settings.

3. In the Bucket Policy, click Edit, copy and paste the provided JSON policy, replacing BUCKET_NAME and CANONICAL_USER_ID with the actual values. You can retrieve your Canonical user ID from the Key management section. For more information, see Retrieve User IDs.

4. Click Save.

This action grants the specified user full access to your bucket.

{
  "Id": "Share access to the bucket",
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "Share access to the bucket",
      "Action": [
        "s3:*"
      ],
      "Effect": "Allow",
      "Resource": [
        "arn:aws:s3:::BUCKET_NAME",
        "arn:aws:s3:::BUCKET_NAME/*"
      ],
      "Principal": {
        "CanonicalUser": "CANONICAL_USER_ID"
      }
    }
  ]
}

You have the option to restrict actions, define the scope of access, or incorporate conditions into the Bucket Policy for more tailored control.

Delete a Bucket Policy

You can delete a Bucket Policy at any time using the Bucket Policy section in the Bucket settings and click Delete.

Info: Removing a bucket policy is irreversible and it is advised to create a backup policy before deleting it.

IONOS S3 Object Storage API

Use the Bucket Policy API to manage the Bucket Policy configuration.

Command-line tool

Use the CLI to manage Bucket Policy.

Block Public Access

If you have defined a bucket policy to grant public access, activating the Block Public Access feature will revoke these permissions, ensuring your data remains private. This feature is invaluable in scenarios where ensuring data privacy is paramount, or when you want to enforce a blanket no-public-access rule, irrespective of Bucket Policy settings.

PreviousVersioning NextBucket Policy Examples

Last updated 11 months ago