Bucket Policy

Overview

The vStorage Bucket Policy feature is a powerful tool for managing access to your buckets through JSON rules. It gives you granular control over the actions that an IAM User (coming soon), another vStorage account, or external sources can perform on your bucket and the objects within it. Here are the basic instructions for configuring Bucket Policy:

  1. Log in to https://vstorage.console.vngcloud.vn .

  2. Select the icon in the project containing the bucket you want to grant permissions to.

  3. If you want to delegate bucket permissions to a Root User Account or another IAM User Account or Service Account , you need to know the vStorage User ID of the user you want to delegate permissions to:

    1. For Root User Account : you can get vStorage User ID information right on the project information page as shown below.

b. For IAM User Account and Service Account : you can get vStorage User ID information in Identity and Access Management

  1. Continue to select the Bucket you want to perform authorization.

  2. Select the Action icon and select Configure policy.

4. Here, you can choose the configuration for each Statement on the left or directly edit the JSON file in the right column. Specifically, the structure of a Bucket Policy includes:

  • Version : Specifies the version of the Bucket Policy (recommended "2012-10-17").

  • Statement : Each policy will have one or more Statements (specific purposes of the policy).

    • Effect : Allowor Denyaccess.

    • Principal : The object to which access is granted (IAM User (coming soon), specific vStorage account).

    • Action : Actions allowed on the bucket, for example: s3:GetObject(view object), s3:PutObject(upload object), s3:DeleteObject(delete object),…

    • Resource : Specific buckets and objects affected by the policy (using ARN to identify resources).

    • Condition : (Optional) Specific condition that restricts access.

4. Select Save to save the Bucket Policy configuration.

Example

Example 1: Grant public-read permission to the entire bucket

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": "*",
      "Action": "s3:GetObject",
      "Resource": "arn:aws:s3:::your-bucket-name/*"
    }
  ]
}

Grant everyone ( *) read permission ( s3:GetObject) to all objects in the bucket.

Example 2: Grant only a specific vStorage User permission to upload and delete objects

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": { "AWS": "arn:aws:iam:::user/vStorage user ID" },
      "Action": ["s3:PutObject", "s3:DeleteObject"],
      "Resource": "arn:aws:s3:::your-bucket-name/*"
    }
  ]
}

Only users with vStorage user IDs in the file are allowed to upload ( s3:PutObject) and delete ( s3:DeleteObject) objects.

Example 3: Block all vStorage Users (include Root User Account) from acting on buckets and objects

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Deny",
      "Principal": "*",
      "Action": [
        "s3:*"
      ],
      "Resource": [
        "arn:aws:s3:::your-bucket-name",
        "arn:aws:s3:::your-bucket-name/*"
      ]
    }
  ]
}

Do not allow anyone (include Root User) to work with buckets and objects.

Example 4: Only grant permission to users using IP address 10.0.0.1 to be able to take action to get object information

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Deny",
      "Principal": "*",
      "Action": [
        "s3:GetObject"
      ],
      "Resource": [
        "arn:aws:s3:::your-bucket-name",
        "arn:aws:s3:::your-bucket-name/*"
      ],
      "Condition": {
        "NotIpAddress": {
          "aws:SourceIp": "10.0.0.1"
        }
      }
    }
  ]
}

Only users with IP address 10.0.0.1 can get object information

Example 5: Add multiple statements in a JSON file

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": "*",
      "Action": "s3:GetObject",
      "Resource": [
        "arn:aws:s3:::your-bucket-name",
        "arn:aws:s3:::your-bucket-name/*"
      ]
    },
    {
      "Effect": "Allow",
      "Principal": { "AWS": "arn:aws:iam:::user/vStorage user ID" },
      "Action": ["s3:PutObject", "s3:DeleteObject"],
      "Resource": [
        "arn:aws:s3:::your-bucket-name",
        "arn:aws:s3:::your-bucket-name/*"
      ]
    },
    {
      "Effect": "Deny",
      "Principal": "*",
      "Action": "s3:PutBucketEncryption",
      "Resource": [
        "arn:aws:s3:::your-bucket-name",
        "arn:aws:s3:::your-bucket-name/*"
      ]
    }
  ]
}

Allow all users to GetObject + allow only 1 vStorage user in the file to PutObject and DeleteObject + Disallow all users to perform PutBucketEncryption

Attention:

  • Check public permissions : Some Bucket Policies may result in public access rights. You should check carefully to ensure data security.

  • Bucket Policy and ACL : Ensure that the permissions in the Bucket Policy do not conflict with the Access Control List (ACL) of the bucket or object.

PreviousObject LockNextBucket ACLs

Last updated