A bucket policy is a JSON document that tells sObject who can perform what action where and, optionally, under which conditions. Bucket policy can be applied with the open-source CLI tool shown below. The syntax follows the Amazon S3 format, so you can copy any example and just swap in your own names.
Policy Structure Recap
- Version – keep it "2012-10-17" for maximum compatibility.
- Statement – an array of one or more permission blocks.
- Each block contains Effect (Allow or Deny), Principal (who), Action (what), Resource (where) and optional Condition.
Ready-Made Policies
Public Read-Only
Perfect for static-website or CDN buckets.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "PublicReadGetObject",
"Effect": "Allow",
"Principal": "*",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::BUCKET-NAME/*"
}
]
}
Private Bucket for Selected Sub-Users
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowTeamRW",
"Effect": "Allow",
"Principal": {
"AWS": [
"urn:scoped-user:USER-ID:SUBUSER-A",
"urn:scoped-user:USER-ID:SUBUSER-B"
]
},
"Action": [
"s3:GetObject",
"s3:PutObject",
"s3:DeleteObject",
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::BUCKET-NAME",
"arn:aws:s3:::BUCKET-NAME/*"
]
}
]
}
IP-Restricted Access
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowFromOffice",
"Effect": "Allow",
"Principal": "*",
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::BUCKET-NAME",
"arn:aws:s3:::BUCKET-NAME/*"
],
"Condition": {
"IpAddress": {
"aws:SourceIp": [
"203.0.113.0/24",
"198.51.100.25/32"
]
}
}
}
]
}
Write-Only “Drop Box”
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "WriteOnly",
"Effect": "Allow",
"Principal": "*",
"Action": [
"s3:PutObject",
"s3:AbortMultipartUpload"
],
"Resource": "arn:aws:s3:::BUCKET-NAME/*"
},
{
"Sid": "DenyReads",
"Effect": "Deny",
"Principal": "*",
"Action": [
"s3:GetObject",
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::BUCKET-NAME",
"arn:aws:s3:::BUCKET-NAME/*"
]
}
]
}
Enforce HTTPS Only
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "DenyInsecure",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::BUCKET-NAME",
"arn:aws:s3:::BUCKET-NAME/*"
],
"Condition": {
"Bool": { "aws:SecureTransport": "false" }
}
}
]
}
Tips & Troubleshooting
- Replace every placeholder such as <em>BUCKET-NAME</em> and user IDs with real values.
- After saving, test the new rules with curl or your SDK to confirm the behaviour.
- Policies are evaluated in this order: all Deny statements first, then Allow; a single explicit Deny overrides conflicting Allow.
Setting a Policy with s3cmd
Prefer working from your terminal? The open-source s3cmd utility can upload or retrieve bucket policies in seconds.
- Install s3cmd (pip install s3cmd or use your package manager).
- Run s3cmd --configure and enter your access key, secret key, and the sObject endpoint URL.
- Save your JSON policy as policy.json.
- Upload the policy:
s3cmd setpolicy policy.json s3://BUCKET-NAME - Verify the current policy:
s3cmd info s3://BUCKET-NAME (look for the “Policy:” section).
Note: The access key you use must belong to a sub-user (or main account) with Full permissions on the target bucket; otherwise, the upload will be denied.
Frequently Asked Questions
- Will a bucket policy override sub-user permissions?
Yes. The policy is evaluated in addition to the sub-user’s flag; the most restrictive rule wins.
- Can I attach multiple policies?
A bucket holds one JSON document. Combine multiple statements in the same file.