Skip to content
Alchemy
GitHubXDiscord

BucketPolicy

The BucketPolicy resource allows you to manage AWS S3 Bucket Policies to control access to your S3 buckets. This resource helps define the permissions for who can access the bucket and what actions they can perform.

Minimal Example

Section titled “Minimal Example”

Create a basic S3 bucket policy that grants read access to all users.

import AWS from "alchemy/aws/control";


const bucketPolicy = await AWS.S3.BucketPolicy("publicReadPolicy", {
  Bucket: "my-public-bucket",
  PolicyDocument: {
    Version: "2012-10-17",
    Statement: [
      {
        Effect: "Allow",
        Principal: "*",
        Action: "s3:GetObject",
        Resource: "arn:aws:s3:::my-public-bucket/*"
      }
    ]
  }
});

Advanced Configuration

Section titled “Advanced Configuration”

Configure a bucket policy that restricts access to specific IP addresses and allows both read and write actions.

const restrictedAccessPolicy = await AWS.S3.BucketPolicy("restrictedPolicy", {
  Bucket: "my-restricted-bucket",
  PolicyDocument: {
    Version: "2012-10-17",
    Statement: [
      {
        Effect: "Allow",
        Principal: "*",
        Action: ["s3:GetObject", "s3:PutObject"],
        Resource: "arn:aws:s3:::my-restricted-bucket/*",
        Condition: {
          IpAddress: {
            "aws:SourceIp": "203.0.113.0/24"
          }
        }
      }
    ]
  }
});

Conditional Access Policy

Section titled “Conditional Access Policy”

Create a bucket policy that allows access only if a specific tag is present on the request.

const conditionalAccessPolicy = await AWS.S3.BucketPolicy("taggedAccessPolicy", {
  Bucket: "my-tagged-bucket",
  PolicyDocument: {
    Version: "2012-10-17",
    Statement: [
      {
        Effect: "Allow",
        Principal: "*",
        Action: "s3:GetObject",
        Resource: "arn:aws:s3:::my-tagged-bucket/*",
        Condition: {
          StringEquals: {
            "s3:ExistingObjectTag/Access": "granted"
          }
        }
      }
    ]
  }
});

Multi-Account Access

Section titled “Multi-Account Access”

Set up a bucket policy that allows another AWS account to access your S3 bucket.

const crossAccountPolicy = await AWS.S3.BucketPolicy("crossAccountPolicy", {
  Bucket: "my-cross-account-bucket",
  PolicyDocument: {
    Version: "2012-10-17",
    Statement: [
      {
        Effect: "Allow",
        Principal: {
          AWS: "arn:aws:iam::123456789012:root"
        },
        Action: "s3:*",
        Resource: [
          "arn:aws:s3:::my-cross-account-bucket",
          "arn:aws:s3:::my-cross-account-bucket/*"
        ]
      }
    ]
  }
});