var img = document.createElement('img'); img.src = "https://easystat.de/piwik.php?idsite=13&rec=1&url=https://docs.servinga.cloud" + location.pathname; img.style = "border:0"; img.alt = "tracker"; var s = document.getElementsByTagName('script')[0]; s.parentNode.insertBefore(img,s);
Skip to main content

Bucket Policies

Default

When creating a new bucket, that bucket is private by default which means only the authenticated storage user that has been used to create the bucket can access it. External access is completely prohibited. This is the default behavior and the most secure setting you can apply to your buckets.

Unless you want to publicly serve files from your bucket, you should always keep that default policy applied to your bucket to prevent unauthorized access to your data. There are multitudes of examples from the past where misconfigured bucket policies have caused a loss of confidential data.

Configuring your bucket's policy is a simple matter of adding a policy document to your bucket's configuration, but should always be done with caution as misconfiguration is not always apparent but can lead to catastrophic consequences.

Configuration

As with lifecycle policies or CORS configuration, configuring your bucket's policy is done by creating a policy document and then applying it to your bucket.

The policy can be composed in either JSON or XML format and needs to be according to Amazon AWS' public documentation on bucket policies.

Your finished policy document can be applied to your bucket by using e.g. s3cmd with the following command:

s3cmd setpolicy policy.json s3://your-bucket

Example

The following policy is a common and basic example that allows anyone to access your bucket's content by direct URL. It's particulary usefule when you e.g. want to serve static files from your bucket as it allows anyone to retrieve an object but neither modify nor delete nor list the bucket's content.

warning

Applying this policy allows anyone to read you bucket's contents without any authentication or authorization.

{
  "Id": "74584f67-3d3b-405b-bc5a-c8dda00b6326",
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "f5706f90-4ed0-4fb6-9b6e-09a2761c5fb6",
      "Action": [
        "s3:GetObject"
      ],
      "Effect": "Allow",
      "Resource": "arn:aws:s3:::your-bucket/*",
      "Principal": "*"
    }
  ]
}

The ID's within the policy are randomly chosen and can be any value, not just a UUID. You just need to make sure that the ID's are unique within your policy document.