Exploring AWS S3 Bucket Policies
Structure of a Bucket Policy
A Policy is a set of statements.
A Statement mainly has sid, principal, action, resource and also condition if required.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AnyRandomString",
"Effect": "Allow" | "Deny",
"Principal": "users on which this statement applies",
"Action": "all IAM actions like s3:GetObject",
"Resource": "all resources like arn:aws:s3:::your-bucket-name/",
"Condition": {
"operator": {
"key": "value"
}
}
}
]
}
โ Tip: Replace each placeholder with your real values like:
"Principal"โ IAM user/role ARNs"Action"โs3:PutObject,s3:GetObject, etc."Resource"โarn:aws:s3:::bucket-name/*"Condition"โ like"StringEquals": { "s3:ExistingObjectTag/environment": "prod" }
๐ Few Example Policies
1. โ Grant IAM Users Permission to Upload Objects
Problem: Allow two root accounts (and all their IAM users/roles) to upload objects to a bucket.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "UploadObjects",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::account_id_1:root",
"arn:aws:iam::account_id_2:root"
]
},
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::my-bucket/*"
}
]
}
๐น
rootincludes all IAM users and roles under that AWS account.
2. โ Allow Read Access Only to Objects with a Specific Tag
Problem: Allow a role to read only objects tagged with environment=prod.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "ReadWithSpecificTagOnly",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::account_id_1:role/Alex"
]
},
"Action": [
"s3:GetObject",
"s3:GetObjectVersion"
],
"Resource": "arn:aws:s3:::gen786/*",
"Condition": {
"StringEquals": {
"s3:ExistingObjectTag/environment": "prod"
}
}
}
]
}
3. โ Allow Upload Only if a Specific Tag is Applied
Problem: Allow role to upload objects only if they are tagged environment=prod.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "UploadWithSpecificTagOnly",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::account_id_1:role/Alex"
]
},
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::gen786/*",
"Condition": {
"StringEquals": {
"s3:RequestObjectTag/environment": "prod"
}
}
}
]
}
๐ธ Here we use
"s3:RequestObjectTag"instead of"s3:ExistingObjectTag"because it applies during upload.
4. โ Restrict Tag Keys That Users Can Add
Problem: Allow users to add object tags only if the tag keys are Owner or CreationDate.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "SpecificTagKeysOnly",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::111122223333:user/Jake",
"arn:aws:iam::111122223333:user/Mike"
]
},
"Action": "s3:PutObjectTagging",
"Resource": "arn:aws:s3:::gen786/*",
"Condition": {
"ForAnyValue:StringEquals": {
"s3:RequestObjectTagKeys": ["Owner", "CreationDate"]
}
}
}
]
}
5. โโ Deny Everyone Except Root User
Problem: Deny everyone (IAM users/roles) from accessing the bucket, except the root user.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowOwnerOnlyAccess",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::your-bucket-name/*",
"arn:aws:s3:::your-bucket-name"
],
"Condition": {
"StringNotEquals": {
"aws:PrincipalArn": "arn:aws:iam::AWS_ACCOUNT_ID:root"
}
}
}
]
}
๐ด "Deny" overrides all Allow policies, making this very restrictive.
๐ Key Notes
arn:aws:s3:::bucket/*= all objects inside the bucket.s3:PutObjectTagging= adds tags to an already uploaded object.Conditions use:
StringEquals,StringNotEqualsForAllValues,ForAnyValueTag-based keys like:
s3:ExistingObjectTag/<key>s3:RequestObjectTag/<key>s3:RequestObjectTagKeys
For, even more examples refer aws s3 docs
https://docs.aws.amazon.com/AmazonS3/latest/userguide/example-bucket-policies.html