Skip to content
Alchemy
GitHubXDiscord

BucketPolicy

The BucketPolicy resource allows you to manage the access policies for AWS S3Outposts Buckets. It helps define permissions for various actions on your S3Outposts resources.

Minimal Example

Section titled “Minimal Example”

Create a basic bucket policy that allows public read access to a specific bucket.

import AWS from "alchemy/aws/control";


const bucketPolicy = await AWS.S3Outposts.BucketPolicy("public-read-policy", {
  Bucket: "my-outposts-bucket",
  PolicyDocument: {
    Version: "2012-10-17",
    Statement: [{
      Effect: "Allow",
      Principal: "*",
      Action: "s3:GetObject",
      Resource: "arn:aws:s3-outposts:us-west-2:123456789012:outpost/my-outposts-bucket/*"
    }]
  },
  adopt: false // Default is false
});

Advanced Configuration

Section titled “Advanced Configuration”

Configure a bucket policy that restricts access to a specific IP range.

const ipRestrictedPolicy = await AWS.S3Outposts.BucketPolicy("ip-restricted-policy", {
  Bucket: "my-outposts-bucket",
  PolicyDocument: {
    Version: "2012-10-17",
    Statement: [{
      Effect: "Allow",
      Principal: {
        AWS: "arn:aws:iam::123456789012:role/MyRole"
      },
      Action: "s3:PutObject",
      Resource: "arn:aws:s3-outposts:us-west-2:123456789012:outpost/my-outposts-bucket/*",
      Condition: {
        IpAddress: {
          "aws:SourceIp": "203.0.113.0/24"
        }
      }
    }]
  }
});

Conditional Access

Section titled “Conditional Access”

Create a bucket policy that allows access based on the request’s source VPC.

const vpcPolicy = await AWS.S3Outposts.BucketPolicy("vpc-access-policy", {
  Bucket: "my-outposts-bucket",
  PolicyDocument: {
    Version: "2012-10-17",
    Statement: [{
      Effect: "Allow",
      Principal: "*",
      Action: "s3:GetObject",
      Resource: "arn:aws:s3-outposts:us-west-2:123456789012:outpost/my-outposts-bucket/*",
      Condition: {
        StringEquals: {
          "aws:SourceVpc": "vpc-abcdef123"
        }
      }
    }]
  }
});

Multi-Account Access

Section titled “Multi-Account Access”

Establish a policy that allows cross-account access to a bucket.

const crossAccountPolicy = await AWS.S3Outposts.BucketPolicy("cross-account-policy", {
  Bucket: "my-outposts-bucket",
  PolicyDocument: {
    Version: "2012-10-17",
    Statement: [{
      Effect: "Allow",
      Principal: {
        AWS: "arn:aws:iam::098765432109:role/OtherAccountRole"
      },
      Action: "s3:ListBucket",
      Resource: "arn:aws:s3-outposts:us-west-2:123456789012:outpost/my-outposts-bucket"
    }]
  }
});