---
title: An S3 bucket policy to allow full-access for a single bucket.
date: 2018-02-24T15:20:00-05:00
author: John Morton
canonical_url: "https://supergeekery.com/blog/s3-bucket-policy"
section: Blog
---
# An S3 bucket policy to allow full-access for a single bucket.

*February 24, 2018* by John Morton

When I have a new project that requires some Amazon S3 storage, I try to do the "right thing" for security by creating a new user and a new bucket entirely. I don't want to share any credentials across projects.

That means after I have created my S3 bucket I neeed to assign a user with the appropriate permissions. For me, that typically means I want this new user to have full access to manage that bucket and no others. 

Since I have to dig around every time I do this to create the policy, I decided to post it here. In the example below, my bucket name is "mybucketname". Creative!

You can assign this policy to your user directly or apply it to a group of users.

About the _Sid_ line, I've added that because the bucket I'm creating will now, by default, make the files I'm uploading available to the public. Regarding this setting, the Amazon docs say _"The Sid (statement ID) is an optional identifier that you provide for the policy statement."_ So, basically, I think it's there to help you identify the policy's role next time you come take a look at the policy statement. 

In practicle terms, I'm using this bucket to store images I'm uploading from a web form for use by an API. I want those uploaded images viewable by the world and "AllowPublicRead" is hopefully a way for me to quickly identify that later.

```
{
    "Version": "2012-10-17",
    "Statement": [
        {
           "Effect": "Allow",
           "Action": [
             "s3:GetBucketLocation",
             "s3:ListAllMyBuckets"
           ],
           "Resource": "*"
         },
        {
            "Sid": "AllowPublicRead",
            "Effect": "Allow",
            "Action": [
                "s3:*"
            ],
            "Resource": [
                "arn:aws:s3:::mybucketname",
                "arn:aws:s3:::mybucketname/*"
            ]
        }
    ]
}
```
## Update

I'm no longer using the above IAM policy. Here's the IAM policy I've migrated to as of 2023. This included permissions for CloudFront, which I use to distribute images from the S3 bucket.

```
{
"Version": "2012-10-17",
"Statement": [
    {
        "Effect": "Allow",
        "Action": [
            "s3:ListAllMyBuckets"
        ],
        "Resource": "*"
    },
    {
        "Effect": "Allow",
        "Action": [
            "s3:GetBucketLocation",
            "s3:ListBucket",
            "s3:PutObject",
            "s3:GetObject",
            "s3:DeleteObject",
            "s3:GetObjectAcl",
            "s3:PutObjectAcl",
            "cloudfront:ListInvalidations",
            "cloudfront:GetInvalidation",
            "cloudfront:CreateInvalidation"
        ],
        "Resource": [
            "arn:aws:s3:::assets.example.com/site-assets/*",
            "arn:aws:s3:::assets.example.com",
            "arn:aws:cloudfront::REPLACEME:distribution/REPLACEME"
        ]
    },
    {
        "Effect": "Allow",
        "Action": [
            "s3:GetBucketLocation",
            "s3:ListBucket"
        ],
        "Resource": [
            "arn:aws:s3:::assets.example.com"
        ]
    }
]
}
```

---

**Tags:** s3, dev