Managing S3 resources > Managing buckets > Managing bucket policies
Managing bucket policies
Edge Cloud uses Policy-Based Access Control (PBAC) to manage user permissions by defining the actions and resources that authenticated users can access. Each policy specifies one or more actions and conditions that outline the permissions for a user or group of users. Only the bucket owner can attach a policy to a bucket, and the permissions specified in the policy apply to all objects in the bucket owned by the bucket owner.
The bucket owner retains ownership of all objects in the bucket and manages access exclusively through policies. Bucket policies are written using the JSON-based AWS Identity and Access Management (IAM) policy language, consisting of the following core elements:
Statement
The primary component of a policy, defining the permissions and containing other elements such as principals, resources, actions, and effects. Policies often include an array of statements.
Statement ID (Sid)
A unique identifier assigned to each policy statement.
Effect
Specifies whether the policy allows or denies an action. If no explicit permission is granted, the policy automatically denies access by default.
Action
Lists the specific S3 actions that the policy permits or denies.
Principal
Identifies the user, entity, or account granted permissions within the statement.
Resource
Specifies the S3 bucket or objects to which the policy applies.
Condition (optional)
Defines additional restrictions or requirements under which the policy applies.
Version (optional)
Indicates the policy language version in use.
Edge Cloud supports the following S3 actions, condition keys, and condition operators for bucket policies:
| Condition operator | Description |
|---|---|
StringEquals | Exact matching, case sensitive |
StringNotEquals | Negated matching, case sensitive |
StringEqualsIgnoreCase | Exact matching, ignoring case |
StringNotEqualsIgnoreCase | Negated matching, ignoring case |
StringLike | Case-sensitive matching. The values can include multi-character match wildcards (*) and single-character match wildcards (?) anywhere in the string. Specify wildcards to achieve partial string matches. |
StringNotLike | Negated case-sensitive matching. The values can include multi-character match wildcards (*) or single-character match wildcards (?) anywhere in the string. |
NumericEquals | Exact matching |
NumericNotEquals | Negated matching |
NumericLessThan | “Less than” matching |
NumericLessThanEquals | “Less than or equals” matching |
NumericGreaterThan | “Greater than” matching |
NumericGreaterThanEquals | “Greater than or equals” matching |
DateEquals | Matching a specific date |
DateNotEquals | Negated matching |
DateLessThan | Matching before a specific date and time |
DateLessThanEquals | Matching at or before a specific date and time |
DateGreaterThan | Matching after a specific a date and time |
DateGreaterThanEquals | Matching at or after a specific date and time |
BinaryEquals | Matching in binary format. It compares the value of the specified key byte for byte against a base-64 encoded representation of the binary value. If the specified key is not present in the request context, the values do not match. |
IpAddress | Matching the specified IP address or range |
NotIpAddress | Matching all IP addresses except the specified IP address or range |
To learn more about condition operators, refer to the AWS Identity and Access Management User Guide.
In this section