Skip to main content
General information about access policies
Last update:

General information about access policies

Access to a container can be specified through an access policy (Bucket policy). A policy consists of rules that allow or deny actions with a resource (container or group of objects) for all or selected principals (users). The basic principle is that if an access policy is created, everything that is not allowed is prohibited.

The access policy only works with the S3 API.

The access policy has a maximum size limit of 20 KB.

An access policy can apply to any user who is allowed to access the storage according to the role model, and also defines access for users with the Object Storage User role. For more information about the interaction between the role model and access policies, see Managing Access in Object Storage.

Only users with the role of Account Owner, Account Administrator, or Administrator of the project in which the container resides can manage access policies.

Create and manage access policies You can create and manage them in the control panel or via the S3 API according to the requirements of the policy structure. policy structure.

Access policy structure

The access policy has a JSON structure. Example policy:

{
"Id": "my-bucket-policy",
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowObjectDeletion",
"Effect": "Allow",
"Principal": {
"AWS": [
"*"
]
},
"Action": [
"s3:DeleteObject"
],
"Resource": [
"arn:aws:s3:::container-name",


"arn:aws:s3:::container-name/*",


"arn:aws:s3:::container-name/${aws:userid}/*"


],
"Condition": {
"StringEquals": {
"aws:UserAgent": [
"storage-test-user-agent"
]
}
}
},
{
"Effect": "Deny",
"Principal": "*",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::container-name/*"


}
]
}

Policy Content:

FieldDescriptionData typeMandatory
IdPolicy identifier, can be anyString
VersionAccess policy version, value is a constant:
"2012-10-17"
String
StatementArray of rulesArray
SidName of the ruleString
EffectRule type (Allow or Deny)String
Principal:AWSPrincipals (user IDs or * for all requests)Array of strings or string
ActionsActions or * for all actionsArray of string whether string
ResourcesResources subject to the ruleArray of strings or string
ConditionAn array of conditions represented in the format :
[operator]:[key]:[array of key values].
Array

Rules

Rules are of two types: Allow (Allow) and Deny (Deny).

The authorization or prohibition applies to the actions, resources, and principals added to the rule.

If a policy contains multiple rules, they are applied as follows:

  • if at least one permissive rule is met, access will be allowed;
  • if at least one deny rule is executed, access will be denied;
  • if both permissive and deny rules are executed simultaneously, access will be denied;
  • if no rule is executed, access will be denied.

Principals

The rule applies to requests from principals (users):

  • user identifiers are specified for authorized requests of certain users ((( you can view the service user identifier in the control panel);
  • to all authorized and unauthorized requests, indicated by the * symbol.

You can add control panel users as principals in access policies only when configuring the policy through the control panel.

Resources

Resources — the container or set of objects to which the rule will apply. You can specify only the resources associated with the container for which the policy is configured.

Resources can be specified in formats:

  • arn:aws:s3:::<container-name> — container resource, you can specify only one resource of this format (the container for which the policy is configured). The resource will work for actions The resource will work for actions related to customizing the container, and does not apply to its objects;
  • arn:aws:s3:::<container-name>/<prefix> — container object resource, where <prefix> — is the prefix to which objects will be subject to the rule. If you specify *, all objects of the container will be included in the resource;
  • arn:aws:s3::::<container-name>/${<variable-name>} — container object resource, where <variable-name> — is the name of a wildcard variable ( key), which acts as a prefix.

Actions

If you specify *, all actions will be included in the rule.

s3:AbortMultipartUploadInterrupting segmented object loading via S3 API
s3:DeleteBucketRemoving a container
s3:DeleteObjectDeleting an object
s3:DeleteObjectVersionDeleting a version of an object
s3:GetBucketCORSGetting the CORS configuration of the container
s3:GetBucketLocationGetting the pool where the container is located
s3:GetBucketVersioningGetting information about container versioning (enabled or not)
s3:GetObjectReading an object
s3:GetObjectVersionReading a specific version of an object
s3:ListBucketReading the list of objects in the container (all or some of them)
s3:ListBucketMultipartUploadsReading the list of objects that are in the process of segmented loading via S3 API
s3:ListBucketVersionsReading metadata of all versions of objects in the container
s3:ListMultipartUploadPartsReading the list of loaded object parts during segmented loading via S3 API
s3:PutBucketCORSSetting the CORS configuration of the container
s3:PutBucketVersioningConnecting and disconnecting container versioning
s3:PutObjectAdding an object to a container (loading or copying)

Terms and conditions

A condition defines in which cases the rule will work. A condition consists of a key, an operator and a value.

If the condition returns true, the condition is satisfied.

Keys

One key can be used in multiple conditions. Multiple values can be assigned to a key.

aws:CurrentTimeCompares the date and time of the request to the value specified in the condition
aws:RefererCompares the Referer header in the request to the value specified in the condition.

Example: https://example.com/
aws:PrincipalType

Specifies the type of entity being queried.

Possible values:

  • Account
  • User
  • AssumedRole
  • Anonymous
aws:SecureTransportChecks if the request was sent using SSL/TLS encryption.
Possible values: True or false
aws:SourceIpCompares the IP address from the request with the value from the condition
aws:UserAgent

Compares the UserAgent from the query with the value from the condition.

Examples of values:

  • Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:47.0)
  • Gecko/20100101
  • Firefox/47.0.
aws:useridCompares the user ID with the value from the condition.
Example value: 9103a81de217448d908e53ac60c84acb
aws:usernameCompares the username with the value from the condition
s3:authType

Restricts incoming requests to the authentication method specified in the condition.

Examples of values:

  • REST-HEADER
  • REST-QUERY-STRING
  • POST
s3:delimiterSpecifies the delimiter that user requests should include.
Example value: /
s3:max-keysSets the maximum number of keys returned on a ListBucket query
s3:prefixRestricts access by prefix in the key name
s3:signatureAgeDetermines the validity time of the signature in the authentication request (in milliseconds)
s3:signatureversion

Specifies the AWS signature version for authentication requests.

Examples of values:

  • AWS
  • AWS4-HMAC-SHA256
s3:versionidSpecifies access to a specific version of the object.
Example value: L4kqtJlcpXroDTDDmpUMLUo
s3:x-amz-content-sha256Prohibits unsigned content in the request
s3:x-amz-copy-sourceRestricts the copy source to a specific container, prefix, or object
s3:x-amz-metadata-directiveSets the forced selection of copy or replace when copying objects
s3:x-amz-server-side-encryptionRequires server-side encryption
s3:x-amz-storage-classRestricts access by storage class

Operators

The operators compare the values from the resource request to the value specified in the key value in the condition.

The number from the query is compared to the number specified in the condition.

NumericEqualsThe value is equal to the value given in the condition
NumericGreaterThanValue greater than the value specified in the condition
NumericGreaterThanEqualsValue greater than or equal to the value specified in the condition
NumericLessThanValue less than the value specified in the condition
NumericLessThanEqualsValue less than or equal to the value specified in the condition
NumericNotEqualsThe value is not equal to the value specified in the condition