Adding a bucket policy by using the Amazon S3 console - Amazon Simple Storage Service
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Adding a bucket policy by using the Amazon S3 console

You can use the Amazon Policy Generator and the Amazon S3 console to add a new bucket policy or edit an existing bucket policy. A bucket policy is a resource-based Amazon Identity and Access Management (IAM) policy. You add a bucket policy to a bucket to grant other Amazon Web Services accounts or IAM users access permissions for the bucket and the objects in it. Object permissions apply only to the objects that the bucket owner creates. For more information about bucket policies, see Overview of managing access.

Make sure to resolve security warnings, errors, general warnings, and suggestions from Amazon Identity and Access Management Access Analyzer before you save your policy. IAM Access Analyzer runs policy checks to validate your policy against IAM policy grammar and best practices. These checks generate findings and provide actionable recommendations to help you author policies that are functional and conform to security best practices. To learn more about validating policies by using IAM Access Analyzer, see IAM Access Analyzer policy validation in the IAM User Guide. To view a list of the warnings, errors, and suggestions that are returned by IAM Access Analyzer, see IAM Access Analyzer policy check reference.

For guidance on troubleshooting errors with a policy, see Troubleshoot Access Denied (403 Forbidden) errors in Amazon S3.

To create or edit a bucket policy
  1. Sign in to the Amazon Web Services Management Console and open the Amazon S3 console at https://console.amazonaws.cn/s3/.

  2. In the left navigation pane, choose Buckets.

  3. In the Buckets list, choose the name of the bucket that you want to create a bucket policy for or whose bucket policy you want to edit.

  4. Choose the Permissions tab.

  5. Under Bucket policy, choose Edit. The Edit bucket policy page appears.

  6. On the Edit bucket policy page, do one of the following:

    • To see examples of bucket policies in the Amazon S3 User Guide, choose Policy examples.

    • To generate a policy automatically, or edit the JSON in the Policy section, choose Policy generator.

    If you choose Policy generator, the Amazon Policy Generator opens in a new window.

    1. On the Amazon Policy Generator page, for Select Type of Policy, choose S3 Bucket Policy.

    2. Add a statement by entering the information in the provided fields, and then choose Add Statement. Repeat this step for as many statements as you would like to add. For more information about these fields, see the IAM JSON policy elements reference in the IAM User Guide.

      Note

      For your convenience, the Edit bucket policy page displays the Bucket ARN (Amazon Resource Name) of the current bucket above the Policy text field. You can copy this ARN for use in the statements on the Amazon Policy Generator page.

    3. After you finish adding statements, choose Generate Policy.

    4. Copy the generated policy text, choose Close, and return to the Edit bucket policy page in the Amazon S3 console.

  7. In the Policy box, edit the existing policy or paste the bucket policy from the Amazon Policy Generator. Make sure to resolve security warnings, errors, general warnings, and suggestions before you save your policy.

    Note

    Bucket policies are limited to 20 KB in size.

  8. (Optional) Choose Preview external access in the lower-right corner to preview how your new policy affects public and cross-account access to your resource. Before you save your policy, you can check whether it introduces new IAM Access Analyzer findings or resolves existing findings. If you don’t see an active analyzer, choose Go to Access Analyzer to create an account analyzer in IAM Access Analyzer. For more information, see Preview access in the IAM User Guide.

  9. Choose Save changes, which returns you to the Permissions tab.