S3 Storage Policies
Guide to Managing Access Policies and Object Lifecycle in S3 Storage
S3 bucket policies allow you to protect access to objects in buckets by granting access only to users with the appropriate permissions.
To set up a policy, create a file describing the policy:
nano bucket-policy.json
Add a policy description, for example:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": "*",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::your-bucket-name/*"
}
]
}
Note
This policy makes all bucket content publicly readable.
Apply the policy:
aws s3api put-bucket-policy --bucket your-bucket-name --policy file://bucket-policy.json
Check the current policy:
aws s3api get-bucket-policy --bucket your-bucket-name
Delete the policy:
aws s3api delete-bucket-policy --bucket your-bucket-name
Common Policy Examples
Allow anyone on the internet to read files via direct links:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "PublicRead",
"Effect": "Allow",
"Principal": "*",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::your-bucket-name/*"
}
]
}
Policy that denies any access to unauthenticated users:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "DenyPublicRead",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::your-bucket-name/*",
"Condition": {
"Bool": {
"aws:SecureTransport": "false"
}
}
}
]
}
Allow access from specific IP addresses:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "IPAllow",
"Effect": "Allow",
"Principal": "*",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::your-bucket-name/*",
"Condition": {
"IpAddress": { "aws:SourceIp": "203.0.113.0/24" }
}
}
]
}
Block insecure (non-HTTPS) connections:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "DenyInsecureTransport",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::your-bucket-name",
"arn:aws:s3:::your-bucket-name/*"
],
"Condition": {
"Bool": { "aws:SecureTransport": "false" }
}
}
]
}
Managing Storage Lifecycle
Bucket object lifecycle refers to automated actions that happen to objects after a certain period of time.
To configure a lifecycle policy, create a file:
nano lifecycle.json
Add:
{
"Rules": [
{
"ID": "DeleteAfter30Days",
"Prefix": "",
"Status": "Enabled",
"Expiration": {
"Days": 30
}
}
]
}
Note
All objects will be deleted 30 days after upload.
Apply the policy to the bucket:
aws s3api put-bucket-lifecycle-configuration \
--bucket your-bucket-name \
--lifecycle-configuration file://lifecycle.json
Check current lifecycle configuration:
aws s3api get-bucket-lifecycle-configuration \
--bucket your-bucket-name
Delete lifecycle configuration:
aws s3api delete-bucket-lifecycle \
--bucket your-bucket-name
Help
If you encounter difficulties or need assistance, please submit a request to our support team via the ticket system, and we’ll be happy to help you.