Managing S3 resources > Managing buckets > Managing bucket policies
Managing bucket policies
Edge Cloud uses Policy-Based Access Control (PBAC) to manage user permissions by defining the actions and resources that authenticated users can access. Each policy specifies one or more actions and conditions that outline the permissions for a user or group of users. Only the bucket owner can attach a policy to a bucket, and the permissions specified in the policy apply to all objects in the bucket owned by the bucket owner.
The bucket owner retains ownership of all objects in the bucket and manages access exclusively through policies. Bucket policies are written using the JSON-based AWS Identity and Access Management (IAM) policy language, consisting of the following core elements:
Statement
The primary component of a policy, defining the permissions and containing other elements such as principals, resources, actions, and effects. Policies often include an array of statements.
Statement ID (Sid)
A unique identifier assigned to each policy statement.
Effect
Specifies whether the policy allows or denies an action. If no explicit permission is granted, the policy automatically denies access by default.
Action
Lists the specific S3 actions that the policy permits or denies.
Principal
Identifies the user, entity, or account granted permissions within the statement.
Resource
Specifies the S3 bucket or objects to which the policy applies.
Condition (optional)
Defines additional restrictions or requirements under which the policy applies.
Version (optional)
Indicates the policy language version in use.
Edge Cloud supports the following S3 actions, condition keys, and condition operators for bucket policies:
| Condition key | Description | Value |
|---|---|---|
| s3:x-amz-storage-class | Filters access by storage class | String |
| s3:x-amz-acl | Filters access by canned ACL in the request’s x-amz-acl header | String |
| s3:x-amz-grant-full-control | Filters access by x-amz-grant-full-control (full control) header | String |
| s3:x-amz-grant-read | Filters access by x-amz-grant-read (read access) header | String |
| s3:x-amz-grant-read-acp | Filters access by the x-amz-grant-read-acp (read permissions for the ACL) header | String |
| s3:x-amz-grant-write | Filters access by the x-amz-grant-write (write access) header | String |
| s3:x-amz-grant-write-acp | Filters access by the x-amz-grant-write-acp (write permissions for the ACL) header | String |
| s3:x-amz-copy-source | Filters access by copy source bucket, prefix, or object in the copy object requests | String |
| s3:TlsVersion | Filters access by the TLS version used by the client | Valid values: 1.2, 1.1, and 1.0 |
| s3:x-amz-content-sha256 | Filters access by unsigned content in your bucket | Valid value: UNSIGNED-PAYLOAD |
| s3:signatureversion | Filters access by the version of AWS Signature used on the request | Valid values:AWS identifies Signature Version 2AWS4-HMAC-SHA256 identifies Signature Version 4 |
| s3:signatureAge | Filters access by the age in milliseconds of the request signature | Numeric |
| s3:authType | Filters access by authentication method | Valid values: REST-HEADER, REST-QUERY-STRING, and POST |
| s3:x-amz-website-redirect-location | Filters access by a specific website redirect location for buckets that are configured as static websites | String |
| s3:object-lock-mode | Filters access by object retention mode | Valid values: COMPLIANCE and GOVERNANCE |
| s3:object-lock-retain-until-date | Filters access by object retain-until date | Date |
| s3:object-lock-legal-hold | Filters access by object legal hold status | String |
| s3:object-lock-remaining-retention-days | Filters access by remaining object retention days | Numeric |
| s3:prefix | Filters access by key name prefix | String |
| s3:versionid | Filters access by a specific object version | String |
| s3:max-keys | Filters access by maximum number of keys returned in a ListBucket request | Numeric |
| aws:SourceIp | Filters access by IP range | String |