Bucket Policy and Permissions

Bucket policy allows you to limit or grant access to any of your buckets or individual objects, or to a group of objects.

Bucket Policy Examples

Allow GetObject and HeadObject API calls from the IPv6 address 2001:4860:4860::8888, 192.168.0.0/24 IPv4 subnet, except for 192.168.0.98 and 192.168.0.99 IP addresses, to all private and public files that satisfy the following mask: data/*/?heck.txt.

 1{
 2"Version": "2012-10-17",
 3"Id": "S3PolicyAllow-IP",
 4"Statement": [{
 5    "Sid": "IP-Allow",
 6    "Effect": "Allow",
 7    "Action": ["s3:GetObject", "s3:HeadObject"],
 8    "Resource": "data/*/?heck.txt",
 9    "Condition": {
10        "IpAddress": {"aws:SourceIp": ["192.168.0.0/24", "2001:4860:4860::8888"]},
11        "NotIpAddress": {"aws:SourceIp": ["192.168.0.98", "192.168.0.99"]}
12    }
13}]
14}

Deny all unsigned requests to public files with User Agent other than curl/7.68.0.

 1{
 2"Version": "2012-10-17",
 3"Id": "S3PolicyCurl-UA",
 4"Statement": [{
 5    "Sid": "UA-Deny",
 6    "Effect": "Deny",
 7    "Action": ["s3:GetObject", "s3:HeadObject"],
 8    "Resource": "*",
 9    "Condition": {
10        "StringNotEquals": {
11            "aws:UserAgent": [
12                "curl/7.68.0"
13            ]
14        }
15    }
16}]
17}

Allow unsigned ListObjects API call for curl/7.68.0 User Agent and 192.168.0.1 IP address.

 1{
 2"Version": "2012-10-17",
 3"Id": "S3PolicyAllow-IP-UA",
 4"Statement": [{
 5    "Sid": "IP-UA-Allow",
 6    "Effect": "Allow",
 7    "Action": ["s3:ListObjects"],
 8    "Resource": "*",
 9    "Condition": {
10        "IpAddress": {"aws:SourceIp": ["192.168.0.1"]},
11        "StringEquals": {
12            "aws:UserAgent": [
13                "curl/7.68.0"
14            ]
15        }
16    }
17}]
18}

See Also

Refer here for more information.