Tip

AWS Management Console: Five steps to create an S3 bucket policy

In this AWS Management Console series, learn five ways to create an S3 bucket policy.

Amazon Simple Storage Service (S3) is mostly known for its object-based storage for storing data, but S3 bucket policy can help AWS save time in setting and managing complex access rights for Amazon S3 resources. This tip guides developers through basic S3 practices. Note that S3 is usually used with Amazon Identity and Access Management (IAM) policy, which is used to set up, capture and record user identities and permissions. I'll cover IAM in a future tip.

You need an S3 bucket policy to access a file you've uploaded. If you don't have it in place, you will get an error message that you are denied access.

This XML file does not appear to have any style information associated with it. The document tree is shown below

 

1 -<error>

2 <code>AccessDenied</code>

3 <message>Access Denied</message>

4 <requestid>F7A33F55E19C8BFA</requestid>

5 -<hostid>

6 UHwvZfsh+B9IczJIyrBQOKG1+JRVsybONoS8+pwo1DZSvscmdb9OIsnZw</hostid>

7 </error>

This message pops up after you click on the linked file name in the Properties window. To see this window, click on the Properties tab on your right of the All Buckets window.

To fix the problem, create an S3 bucket policy. Use the AWS Policy Generator to generate a script that allows you to access your file.

I have two script examples to show you how to set permissions. The first example is a simple script to permit anyone to access my files. The second example is a bit longer script to allow all users, except one, to upload their files to my bucket.

For the first example, here are the three steps to follow: 

Step 1. Select policy type

ChooseS3 bucket policy.

This policy is one of the four types of policies you can create. The other three are:

Step 2. Add statements

A statement is the formal description of a single permission. There are five elements in a statement. They are:

  • Effect element
  • Principal element
  • AWS service element
  • Actions element
  • Amazon Resource Name (ARN) element

For the Effect element, choose Allow to permit users to read a file.

For the Principal element, add * to the input box. It is a wildcard to allow anonymous users to read the file.

For the AWS Service element, the generator automatically inserts Amazon S3 in the input box.

For the Actions element, check off Get Object. This is the only action you need to read a file. You don't need any other actions in the list.

For the Amazon Resource Name element, set it to the following format.

arn:aws:s3:::<bucket_name>/<key_name>

Choose a bucket name (e.g., bucket01) that you've created. Set the key name to *. Enter the following in the input box:

arn:aws:s3:::bucket01/*

Skip conditions about the statement such as date, location, version ID, maximum keys and other restrictions.

Click the Add Statement button when you are ready.

In an instant, you will see the result of what elements you've added to the statement.

Once you are satisfied with the result, proceed to the next step.

Step 3. Create bucket policy

Press the Generate Policy button. This will generate the policy you will need to add to your bucket. The policy is written in the Access Policy Language.

{

 "Id": "Policy1393570093893",

 "Statement": [

  {

   "Sid": "Stmt1393569661962",

   "Action": [

    "s3:GetObject"

   ],

   "Effect": "Allow",

   "Resource": "arn:aws:s3:::bucket01/*",

   "Principal": {

    "AWS": [

     "*"

    ]

   }

  }

 ]

}

If the script shows you've given a wrong bucket name, you can edit it. Once you are satisfied with the policy, copy it onto your clipboard. You will need to paste it on a policy editor.

Here's how to get to the policy editor:

  • Open your bucket in the AWS Management Console
  • Go to Properties and click Permissions
  • Select Add bucket policy

Once the editor opens, paste the policy. Then click Save. The editor provides a link to Sample Bucket Policies.

In the second S3 bucket policy example, the bucket owner with full control permits all accounts, except one, to upload files. The bucket owner sets a certain condition that the one account must meet before granting the permission to upload files. The PutObject operation is used to add a file to a bucket.

{

  "Version":"2012-10-17",

  "Statement":[

   {

     "Sid":"111",

     "Effect":"Allow",

     "Principal":{

      "AWS":"123456789"

     },

     "Action":"s3:PutObject",

     "Resource":"arn:aws:s3:::bucket01/*"

   },

   {

     "Sid":"112",

     "Effect":"Deny",

     "Principal":{

      "AWS":"123456789"

     },

     "Action":"s3:PutObject",

     "Resource":"arn:aws:s3:::bucket01/*",

     "Condition":{

      "StringNotEquals":{

        "s3:x-amz-grant-full-control":[

         "[email protected]"

        ]

      }

     }

   }

  ]

}

This script starts off with the first statement allowing account 123456789 to upload a file in bucket01 only if the condition is not satisfied in the second statement. If account 123456789 does not email the bucket owner granting him the full control, then uploading the files is denied.

In conclusion, you need a bucket policy to grant or deny accounts to read and upload files in your bucket. Amazon provides a reference on operations on buckets and objects.

Dig Deeper on AWS infrastructure