Bucket policy¶
A bucket policy is a resource-based policy that you can use to grant access permissions to your S3 bucket and the objects in it https://docs.aws.amazon.com/AmazonS3/latest/userguide/bucket-policies.html.
Actions¶
S3 actions that can be specified in policy:
s3:AbortMultipartUploads3:CreateBuckets3:DeleteBuckets3:DeleteBucketPolicys3:DeleteObjects3:DeleteObjectTaggings3:DeleteObjectVersions3:DeleteObjectVersionTaggings3:GetBucketAcls3:GetBucketCORSs3:GetBucketLocations3:GetBucketObjectLockConfigurations3:GetBucketPolicys3:GetBucketPolicyStatuss3:GetBucketTaggings3:GetBucketVersionings3:GetLifecycleConfigurations3:GetObjects3:GetObjectAcls3:GetObjectAttributess3:GetObjectLegalHolds3:GetObjectRetentions3:GetObjectTaggings3:GetObjectVersions3:GetObjectVersionAcls3:GetObjectVersionAttributess3:GetObjectVersionTaggings3:ListAllMyBucketss3:ListBuckets3:ListBucketMultipartUploadss3:ListBucketVersionss3:ListMultipartUploadPartss3:PutBucketAcls3:PutBucketCORSs3:PutBucketObjectLockConfigurations3:PutBucketPolicys3:PutBucketTaggings3:PutBucketVersionings3:PutLifecycleConfigurations3:PutObjects3:PutObjectLegalHolds3:PutObjectRetentions3:PutObjectTaggings3:PutObjectVersionTaggings3:PatchObjects3:PutBucketPublicAccessBlocks3:GetBucketPublicAccessBlocks3:GetBucketWebsites3:PutBucketWebsites3:DeleteBucketWebsite
Also, you can specify * or s3:*
Conditions¶
In AWS there are a lot of condition keys https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.htm but s3-gw currently supports only the following conditions in bucket policy:
Note: all condition keys and values must be string formatted in json policy (even if they are numbers).
| Condition key | Description |
|---|---|
| s3:max-keys | Filters access by maximum number of keys returned in a ListBucket request |
| s3:delimiter | Filters access by delimiter parameter |
| s3:prefix | Filters access by key name prefix |
| s3:VersionId | Filters access by a specific object version |
| s3:ExistingObjectTag | Filters access by a specific object tag |
| s3:x-amz-copy-source | Filters access by copy source bucket, prefix, or object in the copy object requests |
| s3:x-amz-metadata-directive | Filters access by object metadata behavior (COPY or REPLACE) when objects are copied |
Each key can be used only with specific set of operators https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition_operators.html (it depends on type of key).
s3 max-keys¶
Key: s3:max-keys
Type: Numeric
Description: Filters access by maximum number of keys returned in a ListBucket request
{
"Version": "2012-10-17",
"Statement": {
"Effect": "Allow",
"Principal": "*",
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::example_bucket",
"Condition": {
"NumericLessThanEquals": {
"s3:max-keys": "10"
}
}
}
}
s3 delimiter¶
Key: s3:delimiter
Type: String
Description: Filters access by delimiter parameter
{
"Version": "2012-10-17",
"Statement": {
"Effect": "Allow",
"Principal": "*",
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::example_bucket",
"Condition": {
"StringEquals": {
"s3:delimiter": "/"
}
}
}
}
s3 prefix¶
Key: s3:prefix
Type: String
Description: Filters access by key name prefix
{
"Version": "2012-10-17",
"Statement": {
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::111122223333:user/JohnDoe"
]
},
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::example_bucket",
"Condition": {
"StringEquals": {
"s3:prefix": "home/JohnDoe"
}
}
}
}
s3 VersionId¶
Key: s3:VersionId
Type: String
Description: Filters access by a specific object version
{
"Version": "2012-10-17",
"Statement": {
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::111122223333:user/JohnDoe"
]
},
"Action": "s3:GetObjectVersion",
"Resource": "arn:aws:s3:::example_bucket/some-file.txt",
"Condition": {
"StringEquals": {
"s3:VersionId": "AT2L3qER7CHGk4TDooocEzkz2RyqTm4Zh2b1QLzAhLbH"
}
}
}
}
s3 Existing Object Tag¶
Key: s3:ExistingObjectTag/%s
Type: String
Description: Filters access by a specific object tag
{
"Version": "2012-10-17",
"Statement": [
{
"Principal": {
"AWS": [
"arn:aws:iam::111122223333:user/JohnDoe"
]
},
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:GetObjectVersion"
],
"Resource": "arn:aws:s3:::amzn-s3-demo-bucket/*",
"Condition": {
"StringEquals": {
"s3:ExistingObjectTag/environment": "production"
}
}
}
]
}
s3 x-amz-copy-source¶
Key: s3:x-amz-copy-source
Type: String
Description: Specifies the source object for the copy operation
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Deny your user permission to upload object if copy source is not /bucket/prefix",
"Effect": "Deny",
"Principal": {
"AWS": "arn:aws:iam::123456789012:user/Dave"
},
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::amzn-s3-demo-source-bucket/*",
"Condition": {
"StringNotLike": {
"s3:x-amz-copy-source": "amzn-s3-demo-source-bucket/public/*"
}
}
}
]
}
s3 x-amz-metadata-directive¶
Key: s3:x-amz-metadata-directive
Type: String
Description: Specifies whether the metadata is copied from the source object or replaced with metadata that's provided in the request
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::123456789012:user/Dave"
},
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::amzn-s3-demo-source-bucket/*",
"Condition": {
"StringLike": {
"s3:x-amz-metadata-directive": "COPY"
}
}
}
]
}