Bucket Policy Examples

Following are a few examples of common use cases and their corresponding bucket policy configurations.

Grant full control of the bucket to other users

To grant full control over a bucket and its objects to other IONOS S3 Object Storage users:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "Grant Full Control",
      "Effect": "Allow",
      "Principal": {
        "CanonicalUser": ["CANONICAL_USER_ID_1", "CANONICAL_USER_ID_2"]
      },
      "Action": "s3:*",
      "Resource": [
        "arn:aws:s3:::my-bucket",
        "arn:aws:s3:::my-bucket/*"
      ]
    }
  ]
}

Grant read-only access to a specific prefix

To grant read-only access to objects within a specific prefix of a bucket to other IONOS S3 Object Storage users:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "GrantReadOnlyAccessToPrefix",
      "Effect": "Allow",
      "Principal": {
         "CanonicalUser": ["CANONICAL_USER_ID_1", "CANONICAL_USER_ID_2"]
      },
      "Action": [
        "s3:GetObject",
        "s3:ListBucket"
      ],
      "Resource": [
        "arn:aws:s3:::my-bucket/prefix/*",
        "arn:aws:s3:::my-bucket"
      ],
      "Condition": {
        "StringLike": {
          "s3:prefix": [
            "prefix/*"
          ]
        }
      }
    }
  ]
}

Public read access

To allow read access to certain objects within a bucket while keeping other objects private:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "PublicRead",
      "Effect": "Allow",
      "Principal": "*",
      "Action": "s3:GetObject",
      "Resource": "arn:aws:s3:::example-bucket/public/*"
    }
  ]
}

Restrict access to specific IP addresses

To restrict all users from performing any S3 operations within the designated bucket, unless the request is initiated from the specified range of IP addresses:

{
    "Version": "2012-10-17",
    "Id": "Restrict access to specific IP addresses",
    "Statement": [
        {
            "Sid": "Restrict access to specific IP addresses",
            "Effect": "Deny",
            "Principal": "*",
            "Action": "s3:*",
            "Resource": [
                "arn:aws:s3:::MY-BUCKET",
                "arn:aws:s3:::MY-BUCKET/*"
            ],
            "Condition": {
                "NotIpAddress": {
                    "aws:SourceIp": "123123.123.0/24"
                }
            }
        }
    ]
}

For more information on bucket policy configurations, see Bucket Policy, supported bucket and object actions and condition values, and Retrieve Canonical User ID.

Last updated

Revision created

fixed broken links