Alchemy

Appearance

BucketPolicy ​

The BucketPolicy resource allows you to manage AWS S3 Bucket Policies to control access to your S3 buckets. This resource helps define the permissions for who can access the bucket and what actions they can perform.

Minimal Example ​

Create a basic S3 bucket policy that grants read access to all users.

ts
import AWS from "alchemy/aws/control";

const bucketPolicy = await AWS.S3.BucketPolicy("publicReadPolicy", {
  Bucket: "my-public-bucket",
  PolicyDocument: {
    Version: "2012-10-17",
    Statement: [
      {
        Effect: "Allow",
        Principal: "*",
        Action: "s3:GetObject",
        Resource: "arn:aws:s3:::my-public-bucket/*"
      }
    ]
  }
});

Advanced Configuration ​

Configure a bucket policy that restricts access to specific IP addresses and allows both read and write actions.

ts
const restrictedAccessPolicy = await AWS.S3.BucketPolicy("restrictedPolicy", {
  Bucket: "my-restricted-bucket",
  PolicyDocument: {
    Version: "2012-10-17",
    Statement: [
      {
        Effect: "Allow",
        Principal: "*",
        Action: ["s3:GetObject", "s3:PutObject"],
        Resource: "arn:aws:s3:::my-restricted-bucket/*",
        Condition: {
          IpAddress: {
            "aws:SourceIp": "203.0.113.0/24"
          }
        }
      }
    ]
  }
});

Conditional Access Policy ​

Create a bucket policy that allows access only if a specific tag is present on the request.

ts
const conditionalAccessPolicy = await AWS.S3.BucketPolicy("taggedAccessPolicy", {
  Bucket: "my-tagged-bucket",
  PolicyDocument: {
    Version: "2012-10-17",
    Statement: [
      {
        Effect: "Allow",
        Principal: "*",
        Action: "s3:GetObject",
        Resource: "arn:aws:s3:::my-tagged-bucket/*",
        Condition: {
          StringEquals: {
            "s3:ExistingObjectTag/Access": "granted"
          }
        }
      }
    ]
  }
});

Multi-Account Access ​

Set up a bucket policy that allows another AWS account to access your S3 bucket.

ts
const crossAccountPolicy = await AWS.S3.BucketPolicy("crossAccountPolicy", {
  Bucket: "my-cross-account-bucket",
  PolicyDocument: {
    Version: "2012-10-17",
    Statement: [
      {
        Effect: "Allow",
        Principal: {
          AWS: "arn:aws:iam::123456789012:root"
        },
        Action: "s3:*",
        Resource: [
          "arn:aws:s3:::my-cross-account-bucket",
          "arn:aws:s3:::my-cross-account-bucket/*"
        ]
      }
    ]
  }
});