To home page

S3 Storage Policies

Guide to Managing Access Policies and Object Lifecycle in S3 Storage

S3 bucket policies allow you to protect access to objects in buckets by granting access only to users with the appropriate permissions.

To set up a policy, create a file describing the policy:

nano bucket-policy.json

Add a policy description, for example:

{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": "*",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::your-bucket-name/*"
}
]
}

Note

This policy makes all bucket content publicly readable.

Apply the policy:

aws s3api put-bucket-policy --bucket your-bucket-name --policy file://bucket-policy.json

Check the current policy:

aws s3api get-bucket-policy --bucket your-bucket-name

Delete the policy:

aws s3api delete-bucket-policy --bucket your-bucket-name

Common Policy Examples

Allow anyone on the internet to read files via direct links:

{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "PublicRead",
"Effect": "Allow",
"Principal": "*",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::your-bucket-name/*"
}
]
}

Policy that denies any access to unauthenticated users:

{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "DenyPublicRead",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::your-bucket-name/*",
"Condition": {
"Bool": {
"aws:SecureTransport": "false"
}
}
}
]
}

Allow access from specific IP addresses:

{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "IPAllow",
"Effect": "Allow",
"Principal": "*",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::your-bucket-name/*",
"Condition": {
"IpAddress": { "aws:SourceIp": "203.0.113.0/24" }
}
}
]
}

Block insecure (non-HTTPS) connections:

{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "DenyInsecureTransport",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::your-bucket-name",
"arn:aws:s3:::your-bucket-name/*"
],
"Condition": {
"Bool": { "aws:SecureTransport": "false" }
}
}
]
}

Managing Storage Lifecycle

Bucket object lifecycle refers to automated actions that happen to objects after a certain period of time.

To configure a lifecycle policy, create a file:

nano lifecycle.json

Add:

{
"Rules": [
{
"ID": "DeleteAfter30Days",
"Prefix": "",
"Status": "Enabled",
"Expiration": {
"Days": 30
}
}
]
}

Note

All objects will be deleted 30 days after upload.

Apply the policy to the bucket:

aws s3api put-bucket-lifecycle-configuration \
--bucket your-bucket-name \
--lifecycle-configuration file://lifecycle.json

Check current lifecycle configuration:

aws s3api get-bucket-lifecycle-configuration \
--bucket your-bucket-name

Delete lifecycle configuration:

aws s3api delete-bucket-lifecycle \
--bucket your-bucket-name

Help

If you encounter difficulties or need assistance, please submit a request to our support team via the ticket system, and we’ll be happy to help you.

Need help?Our engineers will help you free of charge with any question in minutesContact us