Amazon S3 Bucket Policies and Permissions
Create and configure bucket policies in AWS to grant permission to your S3 buckets.
Review the IP addresses to make sure the IP addresses are allowlisted.
Provide sufficient and correct bucket permissions for ingestion or activation jobs to execute successfully.
Bucket permissions required for ingestion:
- GetBucketLocation
- GetObject
- ListBucket
Bucket permissions required for activation:
- DeleteObject
- GetBucketLocation
- GetObject
- ListBucket
- PutObject
This example shows a sample bucket policy that includes the required permissions for activation on a bucket that's provided in the S3 activation target definition.
You can add or edit S3 bucket policies from the AWS console. For more information, see Adding a bucket policy by using the Amazon S3 console.
AWS provides examples of controlling access from VPC endpoints using bucket policies.
When designing the bucket policy, don’t copy and paste this example. This example is only for demonstrating the logic. If you use this example, you could lock yourself out of your bucket, and only the Root Account can unlock the bucket.
This example keeps users of the AWS accountable to still use IAM (Identity and Access Management) and manage the bucket after the Source VPCE policy is set. To reduce the scope to individuals, see the next example. The policy can’t accommodate groups.
In this example, the User named user-name-1 can manage the bucket. The user is a member of the MarketingBucketAdmins group. The group has the permissions set to manage the bucket, but doesn’t have the permissions set to change the bucket policy. The Principal element can’t accommodate IAM groups, but you can add your Bucket Admin on a user-by-user basis.