The S3 bucket policy is processed as follows.
For each request, if the Resource, Principal, and Action elements are satisfied, then a valid rule for this combination is assumed.
If a rule exists and the effect is DENY, then conditions are not taken into consideration.
If a rule exists and the effect is ALLOW, then conditions for the combination are evaluated and allowed or denied based on whether the Condition element is satisfied.
element |
description |
values supported |
---|---|---|
Sid |
Identifies the description or statement. |
(This element is optional and is not substantially used by Hedvig.) |
Effect |
Determines if a rule is applied when the Principal, Resource, Action, and Condition elements are all satisfied. |
ALLOW or DENY |
Principal |
Identifies users who can perform, or users who cannot perform, specific actions. (The NotPrincipal element is not supported.) |
To allow any user, including anonymous requests, specify the * wildcard character as the value of the Principal element. Otherwise, the format is:
|
Resource |
Identifies the bucket and object path to which the specified rule statement applies. (The NotResource element is not supported.) |
To include all resources, specify Otherwise, the format is:
The * wildcard character can be used to denote all, and the ? wildcard character can be used for a single character. For example, the following value will match any object in a bucket:
|
Action |
Allows or denies the specified action the resource, based on the Effect element. (The NotAction element is not supported.) |
To include all actions, specify To include only a specific set of actions, the format is:
See S3 Bucket and Object Action Support. The * wildcard character can be used to denote a subset of operations. For example, the value:
will include the following:
|
Condition |
Specifies a condition that, when satisfied, applies a rule. (The IpAddress and the NotIpAddress elements are both supported.) |
The format for a condition is:
The format for The |