A bucket policy is a resource-based JSON document that defines access permissions for an S3 bucket and its objects, allowing you to control who can access your bucket and what actions they can perform.
An S3 bucket policy is a resource-based policy that you can use to grant or deny access permissions to your Amazon S3 bucket and the objects stored within it . Only the bucket owner can associate a policy with a bucket . The policy is written in JSON format using the AWS Identity and Access Management (IAM) policy language .
Bucket policies are attached at the bucket level, but the permissions you specify apply to all objects within the bucket. These permissions can be based on various elements including the requester (principal), specific S3 actions, resources, and conditions of the request such as IP address or source VPC .
This example policy allows any IAM principal from account 111122223333 to list the contents of the bucket named 'my_bucket' .
Effect: Specifies whether the statement allows or denies access (must be either 'Allow' or 'Deny') .
Principal: The entity (user, account, role, or federated user) that the policy applies to . For public access, you can use '*' .
Action: The specific S3 operations being allowed or denied (such as s3:GetObject, s3:ListBucket, s3:PutObject) .
Resource: The bucket or objects the policy applies to, specified using Amazon Resource Names (ARNs) . To apply to a bucket's contents, include 'arn:aws:s3:::bucket-name/*' .
Condition: Optional element that specifies when the policy is in effect, such as restricting by IP address, VPC, or request time .
By default, all S3 resources are private and accessible only to the resource owner . Bucket policies are one of the primary mechanisms to grant access beyond this default. When a request is made, AWS evaluates all applicable policies (IAM policies and bucket policies). If there's an explicit DENY in any policy, access is denied regardless of any ALLOW statements .