# Managing access to an Amazon S3 on Outposts bucket using a bucket policy
A bucket policy is a resource-based AWS Identity and Access Management (IAM) policy that you can use to grant access permissions to your bucket and the objects in it. Only the bucket owner can associate a policy with a bucket. The permissions attached to the bucket apply to all of the objects in the bucket that are owned by the bucket owner. Bucket policies are limited to 20 KB in size. For more information, see [Bucket policy](S3onOutposts.md#S3OutpostsBucketPolicies).
You can update your bucket policy to manage access to your Amazon S3 on Outposts bucket. For more information, see the following topics.
**Topics**
+ [
# Adding or editing a bucket policy for an Amazon S3 on Outposts bucket
](S3OutpostsBucketPolicyEdit.md)
+ [
# Viewing the bucket policy for your Amazon S3 on Outposts bucket
](S3OutpostsBucketPolicyGet.md)
+ [
# Deleting the bucket policy for your Amazon S3 on Outposts bucket
](S3OutpostsBucketPolicyDelete.md)
+ [
# Bucket policy examples
](S3Outposts-example-bucket-policies.md)
# Adding or editing a bucket policy for an Amazon S3 on Outposts bucket
A bucket policy is a resource-based AWS Identity and Access Management (IAM) policy that you can use to grant access permissions to your bucket and the objects in it. Only the bucket owner can associate a policy with a bucket. The permissions attached to the bucket apply to all of the objects in the bucket that are owned by the bucket owner. Bucket policies are limited to 20 KB in size. For more information, see [Bucket policy](S3onOutposts.md#S3OutpostsBucketPolicies).
The following topics show you how to update your Amazon S3 on Outposts bucket policy by using the AWS Management Console, AWS Command Line Interface (AWS CLI), or AWS SDK for Java.
## Using the S3 console
**To create or edit a bucket policy**
1. Sign in to the AWS Management Console and open the Amazon S3 console at [https://console.aws.amazon.com/s3/](https://console.aws.amazon.com/s3/).
1. In the left navigation pane, choose **Outposts buckets**.
1. Choose the Outposts bucket whose bucket policy you want to edit.
1. Choose the **Permissions** tab.
1. In the **Outposts bucket policy** section, to create or edit new policy, choose **Edit**.
You can now add or edit the S3 on Outposts bucket policy. For more information, see [Setting up IAM with S3 on Outposts](S3OutpostsIAM.md).
## Using the AWS CLI
The following AWS CLI example puts a policy on an Outposts bucket.
1. Save the following bucket policy to a JSON file. In this example, the file is named `policy1.json`. Replace the `user input placeholders` with your own information.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Id":"testBucketPolicy",
"Statement":[
{
"Sid":"st1",
"Effect":"Allow",
"Principal":{
"AWS":"arn:aws:iam::123456789012:root"
},
"Action":[
"s3-outposts:GetObject",
"s3-outposts:PutObject",
"s3-outposts:DeleteObject",
"s3-outposts:ListBucket"
],
"Resource":"arn:aws:s3-outposts:us-east-1:123456789012:outpost/op-01ac5d28a6a232904/bucket/amzn-s3-demo-bucket"
}
]
}
```
------
1. Submit the JSON file as part of the `put-bucket-policy` CLI command. To run this command, replace the `user input placeholders` with your own information.
```
aws s3control put-bucket-policy --account-id 123456789012 --bucket arn:aws:s3-outposts:region:123456789012:outpost/op-01ac5d28a6a232904/bucket/example-outposts-bucket --policy file://policy1.json
```
## Using the AWS SDK for Java
The following SDK for Java example puts a policy on an Outposts bucket.
```
import com.amazonaws.services.s3control.model.*;
public void putBucketPolicy(String bucketArn) {
String policy = "{\"Version\":\"2012-10-17\",\"Id\":\"testBucketPolicy\",\"Statement\":[{\"Sid\":\"st1\",\"Effect\":\"Allow\",\"Principal\":{\"AWS\":\"" + AccountId+ "\"},\"Action\":\"s3-outposts:*\",\"Resource\":\"" + bucketArn + "\"}]}";
PutBucketPolicyRequest reqPutBucketPolicy = new PutBucketPolicyRequest()
.withAccountId(AccountId)
.withBucket(bucketArn)
.withPolicy(policy);
PutBucketPolicyResult respPutBucketPolicy = s3ControlClient.putBucketPolicy(reqPutBucketPolicy);
System.out.printf("PutBucketPolicy Response: %s%n", respPutBucketPolicy.toString());
}
```
# Viewing the bucket policy for your Amazon S3 on Outposts bucket
A bucket policy is a resource-based AWS Identity and Access Management (IAM) policy that you can use to grant access permissions to your bucket and the objects in it. Only the bucket owner can associate a policy with a bucket. The permissions attached to the bucket apply to all of the objects in the bucket that are owned by the bucket owner. Bucket policies are limited to 20 KB in size. For more information, see [Bucket policy](S3onOutposts.md#S3OutpostsBucketPolicies).
The following topics show you how to view your Amazon S3 on Outposts bucket policy by using the AWS Management Console, AWS Command Line Interface (AWS CLI), or AWS SDK for Java.
## Using the S3 console
**To create or edit a bucket policy**
1. Sign in to the AWS Management Console and open the Amazon S3 console at [https://console.aws.amazon.com/s3/](https://console.aws.amazon.com/s3/).
1. In the left navigation pane, choose **Outposts buckets**.
1. Choose the Outposts bucket whose permission you want to edit.
1. Choose the **Permissions** tab.
1. In the **Outposts bucket policy** section, you can review your existing bucket policy. For more information, see [Setting up IAM with S3 on Outposts](S3OutpostsIAM.md).
## Using the AWS CLI
The following AWS CLI example gets a policy for an Outposts bucket. To run this command, replace the `user input placeholders` with your own information.
```
aws s3control get-bucket-policy --account-id 123456789012 --bucket arn:aws:s3-outposts:region:123456789012:outpost/op-01ac5d28a6a232904/bucket/example-outposts-bucket
```
## Using the AWS SDK for Java
The following SDK for Java example gets a policy for an Outposts bucket.
```
import com.amazonaws.services.s3control.model.*;
public void getBucketPolicy(String bucketArn) {
GetBucketPolicyRequest reqGetBucketPolicy = new GetBucketPolicyRequest()
.withAccountId(AccountId)
.withBucket(bucketArn);
GetBucketPolicyResult respGetBucketPolicy = s3ControlClient.getBucketPolicy(reqGetBucketPolicy);
System.out.printf("GetBucketPolicy Response: %s%n", respGetBucketPolicy.toString());
}
```
# Deleting the bucket policy for your Amazon S3 on Outposts bucket
A bucket policy is a resource-based AWS Identity and Access Management (IAM) policy that you can use to grant access permissions to your bucket and the objects in it. Only the bucket owner can associate a policy with a bucket. The permissions attached to the bucket apply to all of the objects in the bucket that are owned by the bucket owner. Bucket policies are limited to 20 KB in size. For more information, see [Bucket policy](S3onOutposts.md#S3OutpostsBucketPolicies).
The following topics show you how to view your Amazon S3 on Outposts bucket policy by using the AWS Management Console or AWS Command Line Interface (AWS CLI).
## Using the S3 console
**To delete a bucket policy**
1. Open the Amazon S3 console at [https://console.aws.amazon.com/s3/](https://console.aws.amazon.com/s3/).
1. In the left navigation pane, choose **Outposts buckets**.
1. Choose the Outposts bucket whose permission you want to edit.
1. Choose the **Permissions** tab.
1. In the **Outposts bucket policy** section, choose **Delete**.
1. Confirm the deletion.
## Using the AWS CLI
The following example deletes the bucket policy for an S3 on Outposts bucket (`s3-outposts:DeleteBucket`) by using the AWS CLI. To run this command, replace the `user input placeholders` with your own information.
```
aws s3control delete-bucket-policy --account-id 123456789012 --bucket arn:aws:s3-outposts:region:123456789012:outpost/op-01ac5d28a6a232904/bucket/example-outposts-bucket
```
# Bucket policy examples
With S3 on Outposts bucket policies, you can secure access to objects in your S3 on Outposts buckets, so that only users with the appropriate permissions can access them. You can even prevent authenticated users without the appropriate permissions from accessing your S3 on Outposts resources.
This section presents examples of typical use cases for S3 on Outposts bucket policies. To test these policies, replace the `user input placeholders` with your own information (such as your bucket name).
To grant or deny permissions to a set of objects, you can use wildcard characters (`*`) in Amazon Resource Names (ARNs) and other values. For example, you can control access to groups of objects that begin with a common [prefix](https://docs.aws.amazon.com/general/latest/gr/glos-chap.html#keyprefix) or end with a given extension, such as `.html`.
For more information about AWS Identity and Access Management (IAM) policy language, see [Setting up IAM with S3 on Outposts](S3OutpostsIAM.md).
**Note**
When testing [https://docs.aws.amazon.com/cli/latest/reference/s3outposts/](https://docs.aws.amazon.com/cli/latest/reference/s3outposts/) permissions by using the Amazon S3 console, you must grant additional permissions that the console requires, such as `s3outposts:createendpoint`, `s3outposts:listendpoints`, and so on.
**Additional resources for creating bucket policies**
+ For a list of the IAM policy actions, resources, and condition keys you can use when creating an S3 on Outposts bucket policy, see [Actions, resources, and condition keys for Amazon S3 on Outposts](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazons3onoutposts.html).
+ For guidance on creating your S3 on Outposts policy, see [Adding or editing a bucket policy for an Amazon S3 on Outposts bucket](S3OutpostsBucketPolicyEdit.md).
**Topics**
+ [
## Managing access to an Amazon S3 on Outposts bucket based on specific IP addresses
](#S3OutpostsBucketPolicyManageIPaccess)
## Managing access to an Amazon S3 on Outposts bucket based on specific IP addresses
A bucket policy is a resource-based AWS Identity and Access Management (IAM) policy that you can use to grant access permissions to your bucket and the objects in it. Only the bucket owner can associate a policy with a bucket. The permissions attached to the bucket apply to all of the objects in the bucket that are owned by the bucket owner. Bucket policies are limited to 20 KB in size. For more information, see [Bucket policy](S3onOutposts.md#S3OutpostsBucketPolicies).
### Restrict access to specific IP addresses
The following example denies all users from performing any [S3 on Outposts operations](https://docs.aws.amazon.com/AmazonS3/latest/userguide/S3OutpostsWorkingBuckets.html) on objects in the specified buckets unless the request originates from the specified range of IP addresses.
**Note**
When restricting access to a specific IP address, make sure that you also specify which VPC endpoints, VPC source IP addresses, or external IP addresses can access the S3 on Outposts bucket. Otherwise, you might lose access to the bucket if your policy denies all users from performing any [https://docs.aws.amazon.com/cli/latest/reference/s3outposts/](https://docs.aws.amazon.com/cli/latest/reference/s3outposts/) operations on objects in your S3 on Outposts bucket without the proper permissions already in place.
This policy's `Condition` statement identifies *`192.0.2.0/24`* as the range of allowed IP version 4 (IPv4) IP addresses.
The `Condition` block uses the `NotIpAddress` condition and the `aws:SourceIp` condition key, which is an AWS wide condition key. The `aws:SourceIp` condition key can only be used for public IP address ranges. For more information about these condition keys, see [Actions, resources, and condition keys for S3 on Outposts](https://docs.aws.amazon.com//service-authorization/latest/reference/list_amazons3onoutposts.html). The `aws:SourceIp` IPv4 values use standard CIDR notation. For more information, see [IAM JSON policy elements reference](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements.html#Conditions_IPAddress) in the *IAM User Guide*.
**Warning**
Before using this S3 on Outposts policy, replace the *`192.0.2.0/24`* IP address range in this example with an appropriate value for your use case. Otherwise, you'll lose the ability to access your bucket.
```
1. {
2. "Version": "2012-10-17",
3. "Id": "S3OutpostsPolicyId1",
4. "Statement": [
5. {
6. "Sid": "IPAllow",
7. "Effect": "Deny",
8. "Principal": "*",
9. "Action": "s3-outposts:*",
10. "Resource": [
11. "arn:aws:aws:s3-outposts:region:111122223333:outpost/OUTPOSTS-ID/accesspoint/EXAMPLE-ACCESS-POINT-NAME",
12. "arn:aws:aws:s3-outposts:region:111122223333:outpost/OUTPOSTS-ID/bucket/amzn-s3-demo-bucket"
13. ],
14. "Condition": {
15. "NotIpAddress": {
16. "aws:SourceIp": "192.0.2.0/24"
17. }
18. }
19. }
20. ]
21. }
```
### Allow both IPv4 and IPv6 addresses
When you start using IPv6 addresses, we recommend that you update all of your organization's policies with your IPv6 address ranges in addition to your existing IPv4 ranges. Doing this will help to make sure that the policies continue to work as you make the transition to IPv6.
The following S3 on Outposts example bucket policy shows how to mix IPv4 and IPv6 address ranges to cover all of your organization's valid IP addresses. The example policy allows access to the example IP addresses *`192.0.2.1`* and *`2001:DB8:1234:5678::1`* and denies access to the addresses *`203.0.113.1`* and *`2001:DB8:1234:5678:ABCD::1`*.
The `aws:SourceIp` condition key can only be used for public IP address ranges. The IPv6 values for `aws:SourceIp` must be in standard CIDR format. For IPv6, we support using `::` to represent a range of 0s (for example, `2001:DB8:1234:5678::/64`). For more information, see [IP address condition operators](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition_operators.html#Conditions_IPAddress) in the *IAM User Guide*.
**Warning**
Replace the IP address ranges in this example with appropriate values for your use case before using this S3 on Outposts policy. Otherwise, you might lose the ability to access your bucket.
------
#### [ JSON ]
****
```
{
"Id": "S3OutpostsPolicyId2",
"Version":"2012-10-17",
"Statement": [
{
"Sid": "AllowIPmix",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::111122223333:root"
},
"Action": [
"s3-outposts:GetObject",
"s3-outposts:PutObject",
"s3-outposts:ListBucket"
],
"Resource": [
"arn:aws:s3-outposts:us-east-1:111122223333:outpost/op-01ac5d28a6a232904/bucket/amzn-s3-demo-bucket",
"arn:aws:s3-outposts:us-east-1:111122223333:outpost/op-01ac5d28a6a232904/bucket/amzn-s3-demo-bucket/*"
],
"Condition": {
"IpAddress": {
"aws:SourceIp": [
"192.0.2.0/24",
"2001:DB8:1234:5678::/64"
]
},
"NotIpAddress": {
"aws:SourceIp": [
"203.0.113.0/24",
"2001:DB8:1234:5678:ABCD::/80"
]
}
}
}
]
}
```
------