Bucket policy
Bucket policies set permissions for actions with buckets, objects, and object groups.
A policy is triggered when a user makes a request to a resource. As a result, the request is either executed or rejected.
Access is verified at three levels: whether the action is allowed by the user role (Identity and Access Management service verification: IAM), access policy, and ACL permission list.
- If a request passes the IAM check, the next step is the bucket policy check.
- Bucket policy rules are checked in the following order:
- If the request meets at least one of the
Denyrules, access is denied. - If the request meets at least one of the
Allowrules, access is allowed. - If the request does not meet any of the rules, access is denied.
- If the request meets at least one of the
- If the request fails the IAM or bucket policy check, access verification is performed based on an object's ACL.
Note
If a bucket policy with no rules is applied to the bucket, access is denied to all users. To disable request verification for a bucket policy, delete it.
You can set up the bucket policy in the management console or describe it in JSON format using a special scheme to provide the settings through one of the software tools: the Yandex Cloud CLI, AWS CLI, Terraform, or API. To learn more about policy management, see this guide.
Policy components
A bucket policy consists of rules, while a rule consists of the following basic elements:
- Resource
- Bucket (such as
samplebucket), a bucket object (samplebucket/some/key), or a prefix (samplebucket/some/path/*), including an empty prefix to indicate all objects in the bucket (samplebucket/*). You can specify multiple resources in a rule.
Note
A bucket resource does not include resources of all its objects. To make sure a bucket policy rule refers to the bucket and all objects, specify them as separate resources, such as samplebucket and samplebucket/*.
If you describe a policy in JSON format, a resource should have the arn:aws:s3::: prefix, for example, arn:aws:s3:::samplebucket.
- Action
- Set of resource operations the rule either prohibits or allows. For more information, see Actions.
- Result
- Denying or allowing the requested action. First, the request is checked against the
Denyaction filter. If matched, the request is rejected and no further checks are performed. If it meets theAllowaction filter criteria, the request is allowed. If the request does not meet any of the filters, it is rejected.
Principal
Principal: Recipient of the requested permission. This can be an IAM user, a federated user, a service account, or an anonymous user.
- Condition
- Item determining whether a rule is effective. For more information, see Conditions.
Bucket access via the management console
If a bucket has an access policy configured, access to the bucket via the Yandex Cloud management console is disabled by default. To enable bucket access, you need to add a rule under the Statement access policy section to allow any requests to <bucket name>/* and <bucket name> resources via the management console.
Example rule for a specific Yandex Cloud user:
{
"Effect": "Allow",
"Principal": {
"CanonicalUser": "<user ID>"
},
"Action": "*",
"Resource": [
"arn:aws:s3:::<bucket name>/*",
"arn:aws:s3:::<bucket name>"
],
"Condition": {
"StringLike": {
"aws:referer": "https://console.cloud.yandex.*/folders/*/storage/buckets/your-bucket-name*"
}
}
}
You can retrieve the user ID by following this guide in the Yandex Identity and Access Management documentation.
Sample configurations
-
Rule that allows an anonymous user to read objects in the
samplebucketbucket over an encrypted connection:{ "Id": "epd4limdp3dgec7enpq5", "Version": "2012-10-17", "Statement": [ { "Sid": "f1qqoehl1q53l06kqurs", "Effect": "Allow", "Principal": "*", "Action": "s3:GetObject", "Resource": "arn:aws:s3:::<bucket name>/*", "Condition": { "Bool": { "aws:SecureTransport": "true" } } } ] } -
Rule that only allows objects to be downloaded from a specified range of IP addresses:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": "*", "Action": "s3:GetObject", "Resource": "arn:aws:s3:::<bucket name>/*", "Condition": { "IpAddress": { "aws:SourceIp": "100.101.102.128/30" } } } ] } -
Rule that prohibits objects to be downloaded from the specified IP address:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": "*", "Action": "*", "Resource": "arn:aws:s3:::<bucket name>/*" }, { "Effect": "Deny", "Principal": "*", "Action": "s3:GetObject", "Resource": "arn:aws:s3:::<bucket name>/*", "Condition": { "IpAddress": { "aws:SourceIp": "100.101.102.103" } } } ] } -
Rule that provides different users with full access only to certain folders, with each user being able to access their own:
{ "Version":"2012-10-17", "Statement":[ { "Sid":"User1PermissionsResource", "Effect":"Allow", "Principal": { "CanonicalUser": "<user ID>" }, "Action": "*", "Resource":["arn:aws:s3:::<bucket name>/user1path/*"] }, { "Sid":"User1PermissionsPrefix", "Effect":"Allow", "Principal": { "CanonicalUser": "<user ID>" }, "Action": "s3:ListBucket", "Resource":["arn:aws:s3:::<bucket name>"], "Condition": { "StringLike": { "s3:prefix": "user1path/*" } } }, { "Sid":"User2PermissionsResource", "Effect":"Allow", "Principal": { "CanonicalUser": "<user ID>" }, "Action": "*", "Resource":["arn:aws:s3:::<bucket name>/user2path/*"] }, { "Sid":"User2PermissionsPrefix", "Effect":"Allow", "Principal": { "CanonicalUser": "<user ID>" }, "Action": "s3:ListBucket", "Resource":["arn:aws:s3:::<bucket name>"], "Condition": { "StringLike": { "s3:prefix": "user2path/*" } } } ] } -
Rule that provides each user and service account with full access to a folder with the name equal to the user ID or service account ID:
{ "Version":"2012-10-17", "Statement":[ { "Sid": "OwnDirPermissions", "Effect": "Allow", "Principal": "*", "Action": "*", "Resource": ["arn:aws:s3:::<bucket name>/${aws:userid}/*"] } ] }