//
import CodeBlock from '@/components/mdx/CodeBlock'
import Tip from '@/components/mdx/Tip'
import Terminal from '@/components/mdx/Terminal'
import OutputBlock from '@/components/mdx/OutputBlock'
export const meta = { title: 'S3 Bucket Policies', description: 'Understanding and configuring policies for S3 buckets.', lastUpdated: '2026-05-15', readTime: '10 min read', order: 11 }
# S3 Bucket Policies
## Introduction
Amazon Simple Storage Service (S3) is a highly scalable object storage service that allows you to store and retrieve any amount of data at any time from anywhere on the web. One of the key features of S3 is its ability to control access to your buckets and objects using bucket policies. These policies are written in JSON format and define permissions for actions such as read, write, delete, and more.
In this tutorial, we will explore how to understand and configure bucket policies for Amazon S3. We'll cover the basics of bucket policies, their structure, and provide practical examples to help you get started.
## Concept
A bucket policy is a JSON document that specifies who can access your S3 buckets and what actions they are allowed to perform. Bucket policies are attached directly to an S3 bucket and apply to all objects within that bucket. They are additive, meaning that if there are multiple policies applied, the most restrictive one will take precedence.
### Key Components of a Bucket Policy
1. **Version**: Specifies the version of the policy language.
2. **Statement**: An array of statements, each defining a set of permissions.
3. **Effect**: Determines whether the statement allows or denies access (`Allow` or `Deny`).
4. **Principal**: The AWS account or user that the policy applies to.
5. **Action**: The actions that are allowed or denied (e.g., `s3:GetObject`, `s3:PutObject`).
6. **Resource**: The S3 bucket and objects that the policy applies to.
### Example Bucket Policy
Here is a basic example of an S3 bucket policy that allows public read access to all objects in the bucket:
<CodeBlock language="json">
{`{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": "*",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::my-bucket/*"
}
]
}`}
</CodeBlock>
In this example:
- **Version**: Specifies the policy language version.
- **Statement**: Contains a single statement that allows public read access to all objects in the `my-bucket` bucket.
## Examples
### Example 1: Allow Public Read Access
Let's create a simple bucket policy to allow public read access to all objects in an S3 bucket named `public-access-bucket`.
<CodeBlock language="json">
{`{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": "*",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::public-access-bucket/*"
}
]
}`}
</CodeBlock>
To apply this policy, you can use the AWS CLI:
<Terminal>
{`aws s3api put-bucket-policy --bucket public-access-bucket --policy file://policy.json`}
</Terminal>
### Example 2: Restrict Access to Specific Users
Suppose you want to restrict access to a specific IAM user. You can create a policy that allows only this user to read and write objects in the bucket.
<CodeBlock language="json">
{`{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::123456789012:user/john-doe"
},
"Action": ["s3:GetObject", "s3:PutObject"],
"Resource": "arn:aws:s3:::restricted-bucket/*"
}
]
}`}
</CodeBlock>
To apply this policy, use the AWS CLI:
<Terminal>
{`aws s3api put-bucket-policy --bucket restricted-bucket --policy file://policy.json`}
</Terminal>
### Example 3: Deny Access to a Specific IP Address
You can also deny access to specific IP addresses. For example, if you want to block access from the IP address `192.168.1.1`, you can create a policy like this:
<CodeBlock language="json">
{`{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Deny",
"Principal": "*",
"Action": "*",
"Resource": "arn:aws:s3:::blocked-bucket/*",
"Condition": {
"IpAddress": {"aws:SourceIp": "192.168.1.1"}
}
}
]
}`}
</CodeBlock>
To apply this policy, use the AWS CLI:
<Terminal>
{`aws s3api put-bucket-policy --bucket blocked-bucket --policy file://policy.json`}
</Terminal>
## What's Next?
Now that you have a good understanding of S3 bucket policies and how to configure them, you might want to explore other storage services offered by AWS. The next topic in our curriculum is "Introduction to Amazon RDS," where we will dive into relational database management on the cloud.
Stay tuned for more tutorials and happy coding!