Managing S3 resources > Managing buckets > Managing bucket policies
Managing bucket policies
Edge Cloud uses Policy-Based Access Control (PBAC) to manage user permissions by defining the actions and resources that authenticated users can access. Each policy specifies one or more actions and conditions that outline the permissions for a user or group of users. Only the bucket owner can attach a policy to a bucket, and the permissions specified in the policy apply to all objects in the bucket owned by the bucket owner.
The bucket owner retains ownership of all objects in the bucket and manages access exclusively through policies. Bucket policies are written using the JSON-based AWS Identity and Access Management (IAM) policy language, consisting of the following core elements:
Statement
The primary component of a policy, defining the permissions and containing other elements such as principals, resources, actions, and effects. Policies often include an array of statements.
Statement ID (Sid)
A unique identifier assigned to each policy statement.
Effect
Specifies whether the policy allows or denies an action. If no explicit permission is granted, the policy automatically denies access by default.
Action
Lists the specific S3 actions that the policy permits or denies.
Principal
Identifies the user, entity, or account granted permissions within the statement.
Resource
Specifies the S3 bucket or objects to which the policy applies.
Condition (optional)
Defines additional restrictions or requirements under which the policy applies.
Version (optional)
Indicates the policy language version in use.
Edge Cloud supports the following S3 actions, condition keys, and condition operators for bucket policies:
| Action | Access level | Resource | Description | Condition keys |
|---|---|---|---|---|
s3:GetObject | Read | Object | Grants permission to retrieve objects from a bucket | s3:authTypes3:signatureAges3:signatureversions3:TlsVersions3:x-amz-content-sha256aws:SourceIp |
s3:GetObjectAcl | Read | Object | Grants permission to return the access control list (ACL) of an object | s3:authTypes3:signatureAges3:signatureversions3:TlsVersions3:x-amz-content-sha256aws:SourceIp |
s3:GetObjectVersion | Read | Object | Grants permission to retrieve a specific version of an object | s3:authTypes3:signatureAges3:signatureversions3:TlsVersions3:versionids3:x-amz-content-sha256aws:SourceIp |
s3:GetObjectVersionAcl | Read | Object | Grants permission to return the access control list (ACL) of a specific object version | s3:authTypes3:signatureAges3:signatureversions3:TlsVersions3:versionids3:x-amz-content-sha256aws:SourceIp |
s3:ListMultipartUploadParts | List | Object | Grants permission to list the parts that have been uploaded for a specific multipart upload | s3:authTypes3:signatureAges3:signatureversions3:TlsVersions3:versionids3:x-amz-content-sha256aws:SourceIp |
s3:ListBucket | List | Bucket | Grants permission to list some or all of the objects in a bucket (up to 1000). | s3:authTypes3:max-keyss3:prefixs3:signatureAges3:signatureversions3:TlsVersions3:x-amz-content-sha256aws:SourceIp |
s3:ListBucketMultipartUploads | List | Bucket | Grants permission to list in-progress multipart uploads | s3:authTypes3:signatureAges3:signatureversions3:TlsVersions3:x-amz-content-sha256aws:SourceIp |
s3:ListBucketVersions | List | Bucket | Grants permission to list metadata about all the versions of objects in a bucket | s3:authTypes3:max-keyss3:prefixs3:signatureAges3:signatureversions3:TlsVersions3:x-amz-content-sha256aws:SourceIp |
s3:GetBucketAcl | Read | Bucket | Grants permission to use the acl subresource to return the access control list (ACL) of a bucket | s3:authTypes3:signatureAges3:signatureversions3:TlsVersions3:x-amz-content-sha256aws:SourceIp |
s3:GetBucketCORS | Read | Bucket | Grants permission to return the CORS configuration information set for a bucket | s3:authTypes3:signatureAges3:signatureversions3:TlsVersions3:x-amz-content-sha256aws:SourceIp |
s3:GetBucketLocation | Read | Bucket | Grants permission to return the region that a bucket resides in | s3:authTypes3:signatureAges3:signatureversions3:TlsVersions3:x-amz-content-sha256aws:SourceIp |
s3:GetBucketLogging | Read | Bucket | Grants permission to return the logging status of a bucket and the permissions users have to view or modify that status | s3:authTypes3:signatureAges3:signatureversions3:TlsVersions3:x-amz-content-sha256aws:SourceIp |
s3:GetBucketNotification | Read | Bucket | Grants permission to get the notification configuration of a bucket | s3:authTypes3:signatureAges3:signatureversions3:TlsVersions3:x-amz-content-sha256aws:SourceIp |
s3:GetBucketPolicy | Read | Bucket | Grants permission to return the policy of the specified bucket | s3:authTypes3:signatureAges3:signatureversions3:TlsVersions3:x-amz-content-sha256aws:SourceIp |
s3:GetBucketVersioning | Read | Bucket | Grants permission to return the versioning state of a bucket | s3:authTypes3:signatureAges3:signatureversions3:TlsVersions3:x-amz-content-sha256aws:SourceIp |
s3:GetBucketWebsite | Read | Bucket | Grants permission to return the website configuration for a bucket | s3:authTypes3:signatureAges3:signatureversions3:TlsVersions3:x-amz-content-sha256aws:SourceIp |
s3:GetLifecycleConfiguration | Read | Bucket | Grants permission to return the lifecycle configuration information set on a bucket | s3:authTypes3:signatureAges3:signatureversions3:TlsVersions3:x-amz-content-sha256aws:SourceIp |
s3:GetReplicationConfiguration | Read | Bucket | Grants permission to get the replication configuration information set on a bucket | s3:authTypes3:signatureAges3:signatureversions3:TlsVersions3:x-amz-content-sha256aws:SourceIp |
s3:PutObject | Write | Object | Grants permission to add an object to a bucket | s3:authTypes3:signatureAges3:signatureversions3:TlsVersions3:x-amz-acls3:x-amz-content-sha256s3:x-amz-copy-sources3:x-amz-grant-full-controls3:x-amz-grant-reads3:x-amz-grant-read-acps3:x-amz-grant-writes3:x-amz-grant-write-acps3:x-amz-storage-classs3:x-amz-website-redirect-locations3:object-lock-modes3:object-lock-retain-until-dates3:object-lock-remaining-retention-dayss3:object-lock-legal-holdaws:SourceIp |
s3:DeleteObject | Write | Object | Grants permission to remove the null version of an object and insert a delete marker, which becomes the current version of the object | s3:authTypes3:signatureAges3:signatureversions3:TlsVersions3:x-amz-content-sha256aws:SourceIp |
s3:DeleteObjectVersion | Write | Object | Grants permission to remove a specific version of an object | s3:authTypes3:signatureAges3:signatureversions3:TlsVersions3:versionids3:x-amz-content-sha256aws:SourceIp |
s3:AbortMultipartUpload | Write | Object | Grants permission to abort a multipart upload | s3:authTypes3:signatureAges3:signatureversions3:TlsVersions3:x-amz-content-sha256aws:SourceIp |
s3:DeleteBucket | Write | Bucket | Grants permission to delete the bucket named in the URI | s3:authTypes3:signatureAges3:signatureversions3:TlsVersions3:x-amz-content-sha256aws:SourceIp |
s3:PutBucketCORS | Write | Bucket | Grants permission to set the CORS configuration for a bucket | s3:authTypes3:signatureAges3:signatureversions3:TlsVersions3:x-amz-content-sha256aws:SourceIp |
s3:PutBucketLogging | Write | Bucket | Grants permission to set the logging parameters for a bucket | s3:authTypes3:signatureAges3:signatureversions3:TlsVersions3:x-amz-content-sha256aws:SourceIp |
s3:PutBucketNotification | Write | Bucket | Grants permission to receive notifications when certain events happen in a bucket | s3:authTypes3:signatureAges3:signatureversions3:TlsVersions3:x-amz-content-sha256aws:SourceIp |
s3:PutBucketRequestPayment | Write | Bucket | Grants permission to set the request payment configuration of a bucket | s3:authTypes3:signatureAges3:signatureversions3:TlsVersions3:x-amz-content-sha256aws:SourceIp |
s3:PutBucketVersioning | Write | Bucket | Grants permission to set the versioning state of an existing bucket | s3:authTypes3:signatureAges3:signatureversions3:TlsVersions3:x-amz-content-sha256aws:SourceIp |
s3:PutBucketWebsite | Write | Bucket | Grants permission to set the configuration of the website that is specified in the website subresource | s3:authTypes3:signatureAges3:signatureversions3:TlsVersions3:x-amz-content-sha256aws:SourceIp |
s3:PutLifecycleConfiguration | Write | Bucket | Grants permission to create a new lifecycle configuration for the bucket or replace an existing lifecycle configuration | s3:authTypes3:signatureAges3:signatureversions3:TlsVersions3:x-amz-content-sha256aws:SourceIp |
s3:PutReplicationConfiguration | Write | Bucket | Grants permission to create a new replication configuration or replace an existing one | s3:authTypes3:signatureAges3:signatureversions3:TlsVersions3:x-amz-content-sha256aws:SourceIp |
s3:PutBucketPolicy | Access management | Bucket | Grants permission to add or replace a bucket policy on a bucket | s3:authTypes3:signatureAges3:signatureversions3:TlsVersions3:x-amz-content-sha256aws:SourceIp |
s3:DeleteBucketPolicy | Access management | Bucket | Grants permission to delete the policy on a specified bucket | s3:authTypes3:signatureAges3:signatureversions3:TlsVersions3:x-amz-content-sha256aws:SourceIp |
s3:PutObjectAcl | Access management | Object | Grants permission to set the access control list (ACL) permissions for new or existing objects in a bucket | s3:authTypes3:signatureAges3:signatureversions3:TlsVersions3:x-amz-acls3:x-amz-content-sha256s3:x-amz-grant-full-controls3:x-amz-grant-reads3:x-amz-grant-read-acps3:x-amz-grant-writes3:x-amz-grant-write-acps3:x-amz-storage-classaws:SourceIp |
s3:PutObjectVersionAcl | Access management | Object | Grants permission to use the acl subresource to set the access control list (ACL) permissions for an object that already exists in a bucket | s3:authTypes3:signatureAges3:signatureversions3:TlsVersions3:versionids3:x-amz-acls3:x-amz-content-sha256s3:x-amz-grant-full-controls3:x-amz-grant-reads3:x-amz-grant-read-acps3:x-amz-grant-writes3:x-amz-grant-write-acps3:x-amz-storage-classaws:SourceIp |
s3:PutBucketAcl | Access management | Bucket | Grants permission to set the permissions on an existing bucket using access control lists (ACLs) | s3:authTypes3:signatureAges3:signatureversions3:TlsVersions3:x-amz-acls3:x-amz-content-sha256s3:x-amz-grant-full-controls3:x-amz-grant-reads3:x-amz-grant-read-acps3:x-amz-grant-writes3:x-amz-grant-write-acpaws:SourceIp |