Set, Get and Delete AWS S3 bucket policies

In the last blog post, we have learned how to create S3 buckets. By default, all S3 buckets are private and there is no policy attached to them. S3 policies can define which user can perform which kind of actions on this bucket. If you want to know how S3 policies are different from IAM policies you can read this post.

In this tutorial, let us learn how we can manage S3 bucket policies. We will learn how to check existing bucket polices, attach new ones and delete policies from S3 console as well as pragmatically using AWS CLI and Python.

Using S3 Console

Reading Existing Bucket Polices

First, we will understand, how to check existing bucket policies from the S3 console. As mentioned before all S3 buckets have no policy attached by default. You can validate that, when you select any bucket then click on permissions -> and then bucket policy.

Attaching Bucket Policy

We can generate AWS policy using a simple tool provided by AWS. Before we attach policy, let us try to access S3 bucket using “testuser”. This user currently does not have any access to S3. So when we try to list files in the S3 bucket we will see the following output.

listing S3 bucket without permission
Listing S3 bucket without permission

We can generate the following policy using the AWS Policy Generator. This policy grants all access to S3 bucket “testbucket-frompython-1” to IAM user “testuser”.

Now if we have attached this policy correctly and try to list S3 files from “testbucket-frompython-1” bucket, we should see some output now.

Listing S3 Bucket after attaching policy to S3
Listing S3 Bucket after attaching policy to S3

Deleting bucket policy

Deleting Bucket’s policy is easy. You can again open the S3 bucket, go to the permissions tab and then to Bucket Policy and click on the Delete button. This will delete all polices attached to this bucket.

Managing Bucket Polices With AWS CLI

Listing Bucket Polices

You can easily list bucket policies using the following AWS CLI command. If you have policies attached to the bucket you will see output otherwise you will get “The bucket policy does not exist” message as shown in the below image. ( We do not have any policy attached to this bucket as we have deleted all attached policies in the last step.)

Get S3 bucket polices using AWS CLI
Get S3 bucket polices using AWS CLI

Attaching Policy to S3 Bucket

For attaching policy to S3 bucket using CLI, we need to create JSON document with policy that we want to attach. We will be using same policy attached mentioend above, which will grant “testuser” all access to S3 bucket. Then we can run following command to attach policy to bucket. (please use proper file path when using command below.)

Attach S3 Bucket Policy using AWS CLI
Attach S3 Bucket Policy using AWS CLI

Deleting S3 Bucket Policy

We can also delete S3 bucket policy using simple CLI command.

Delete S3 Bucket Policies using AWS CLI
Delete S3 Bucket Policies using AWS CLI

Managing Bucket Policies With Python

At last we will write python scripts to get, put and delete S3 bucket policies. let us get started.

Get Bucket Policies

We can get S3 bucket policies using following code. If there are no policies attached to the bucket, then get_bucket_policy() function throws error. We have to manage that in code.

As usual, We can use S3 resource as well to list bucket policies.

Put S3 Bucket Policy

We will be using same above policy. When using Python we do not need to store policy in separate document.

We can achieve same effect using bucket resource as well.

Deleting S3 Bucket Policy

Following python code snippet can be used to delete attached bucket policy.

Conclusion

I hope this article helped you in understanding different ways in which you can manage S3 bucket policies. You can try performing operations at each step to validate if the policy is attached or deleted correctly. You can get code created in this blog from this git repo. If you have any questions please let me know. See you in the next blog.

Similar Posts

2 Comments

  1. is it possible to list bucket from console once you attach the bucket policy to the bucket? lets go with your example above. i know it works from CLI perspective but what about console. can i list this bucket with attached policy in console as the allowed user?
    food for thought….

    1. Hello Santosh,
      Thanks for taking an interest. I am not sure I understand you correctly but if you are saying will you be able to list all buckets on the console to which you have access to then yes you can.

      If you have any more questions do reach out to me.

      Thanks
      Mahesh

Comments are closed.