Example S3 Bucket Policies
Limiting Access to Specific IP Addresses
This statement identifies the 54.240.143.0/24 as the range of allowed IPv4 IP addresses.
{
"Version": "2012-10-17",
"Id": "S3PolicyId1",
"Statement": [
{
"Sid": "IPAllow",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::DOC-EXAMPLE-BUCKET",
"arn:aws:s3:::DOC-EXAMPLE-BUCKET/*"
],
"Condition": {
"NotIpAddress": {"aws:SourceIp": "54.240.143.0/24"}
}
}
]
}Adding a Bucket Policy to Require MFA
S3 supports MFA-protected API access, a feature that can enforce MFA for access to your S3 resources.
{
"Version": "2012-10-17",
"Id": "123",
"Statement": [
{
"Sid": "",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:*",
"Resource": "arn:aws:s3:::DOC-EXAMPLE-BUCKET/taxdocuments/*",
"Condition": { "Null": { "aws:MultiFactorAuthAge": true }}
}
]
}Granting Read-Only Permission to an Anonymous User
The following example policy grants the
s3:GetObjectpermission to any public anonymous users.
{
"Version":"2012-10-17",
"Statement":[
{
"Sid":"PublicRead",
"Effect":"Allow",
"Principal": "*",
"Action":["s3:GetObject","s3:GetObjectVersion"],
"Resource":["arn:aws:s3:::DOC-EXAMPLE-BUCKET/*"]
}
]
}PreviousTrusts in Active DirectoryNextCross-account access to S3 buckets using Resource-based policies and IAM policies
Last updated
Was this helpful?