S3 Policy Reference

  • Updated on Jan 30, 2026
  • Published on Jan 28, 2026
  • 5 minute(s) read
Prev Next

Identity Policy Format

Identity policies support a subset of elements listed in Amazon's IAM JSON Policy Reference.

Identity policies comprise a series of statements. Each statement allows or denies a set of S3 actions on a set of S3 resources.

The identity policy syntax is:

  {
      "Version": "2012-10-17",
      "Statement": [{
          "Sid": "<SID>",
          ("Action" | "NotAction"): (
              "S3:<ACTION>" | 
              ["S3:<ACTION1>", "S3:<ACTION2>", ...] |
              "*"),
          "Effect": (
              "Allow" | 
              "Deny"),
          ("Resource" | "NotResource"): (
              [<resource1>, <resource2>, ...] |
              "*")}
      }]
    }

Syntax rules and conventions:

  • The following characters are JSON tokens and are included in policies: { } [ ] " , :

  • The following characters are special characters in the grammar and are not included in policies: = < > ( ) |

  • If an element allows multiple values, it is indicated using repeated values, a comma delimiter, and an ellipsis (...). For example: [<resource1>, <resource2>, ...]

  • If multiple values are allowed, it is also valid to include only one value. For only one value, the trailing comma must be omitted. If the element takes an array (marked with [ and ]) but only one value is included, the brackets are optional.

    For example, both of the following are valid, with and without the brackets: "Action": [<action>] and "Action": <action>

  • A vertical line (|) between elements indicates alternatives. Parentheses in the syntax define the scope of the alternatives, for example: ("Action" | "NotAction")

  • Elements that must be literal strings are enclosed in double quotation marks ("). For example, "Allow".

Supported Elements in Identity Policies

  • Version

    (Required) Specifies the version of the policy language (language syntax rules that are to be used to process the policy). 

    "Version": "2012-10-17"

    The only valid value is 2012-10-17.

  • Statement

    (Optional) Acts as a container for one or more permission statements.

    "Statement": [{
    <...>
}]

    Each permission statement under the Statement element must be enclosed in curly braces { }. For multiple statements, the array must be enclosed in square brackets [ ].

  • Sid

    (Optional) An optional identifier that you can assign to each permission statement under the Statement element. The SID must be unique within a policy.

    Note

    You can't retrieve a particular statement based on the SID value.

    "Sid": "<SID>"

    <SID> can include ASCII uppercase letters (A-Z), lowercase letters (a-z), and numbers (0-9).

  • ActionNotAction

    (Required) Determines which actions are allowed or denied, depending on the policy effect:

    Action

    NotAction

    Effect is Allow

    Any actions listed under Action are allowed.

    Any actions that are not listed under NotAction are allowed.

    Effect is Deny

    Any actions listed under Action are denied.

    Any actions that are not listed under NotAction are denied.

    Tip

    Using NotAction can result in a shorter policy by listing only a few actions that should not match, rather than including a long list of actions that will match.

    ("Action" | "NotAction"): 
              ("S3:<ACTION>" | 
              ["S3:<ACTION1>", "S3:<ACTION2>", ...] |
               "*")

    <ACTION> is the AWS S3 action name of any supported S3 action: 

    "Action": "S3:GetObject"

    Note

    For supported actions and their Amazon S3 action names, see Supported S3 Requests.Supported S3 API Actions

    You can use wildcards, for example:

    • To specify all actions beginning with Get, such as GetBucket, GetObject :

      "Action": "S3:Get*"

    • To specify all actions that include the string Object, such as GetObjectDeleteObjectListObjects:

      "Action": "S3:*Object*"

    • To specify all actions:

      "Action": "S3:*"
      "Action": "*"
  • Effect

    (Required) Determines whether the statement results in an allow or an explicit deny of the actions. 

    "Effect": ("Allow" | "Deny")
  • ResourceNotResource

    (Required) Lists buckets and/or objects to which the policy statement applies.

    • With Resource, the policy statement applies to the specified buckets and/or objects.

    • With NotResource, the policy statement applies to any buckets and/or objects except those specified. 

     ("Resource" | "NotResource"): (
     [<resource1>, <resource2>, ...] |
     "*")

    You can specify one or more resource elements in a statement.

    You can use wildcards, for example:

    • To specify a bucket:

      "Resource": "arn:aws:s3:::<bucketname>"

    • To specify all objects in a bucket:

      "Resource": "arn:aws:s3:::<bucketname>/*"

    • To specify all objects in a bucket that have a certain prefix:

      "Resource": "arn:aws:s3:::<bucketname>/<prefix>*"

    • To specify an object in a bucket:

      "Resource": "arn:aws:s3:::<bucketname>/<objectname>"

    • To specify all buckets and objects:

      "Resource": "*"

Identity Policy Examples

The following identity policy grants a user access to one of your buckets, BUCKET1, and allows the user to add, update and delete objects.

{
   "Version":"2012-10-17",
   "Statement":[
      {
         "Effect":"Allow",
         "Action": "s3:ListAllMyBuckets",
         "Resource":"*"
      },
      {
         "Effect":"Allow",
         "Action":["s3:ListObjects","s3:GetBucketLocation"],
         "Resource":"arn:aws:s3:::BUCKET1"
      },
      {
         "Effect":"Allow",
         "Action":[
            "s3:PutObject",
            "s3:PutObjectAcl",
            "s3:GetObject",
            "s3:GetObjectAcl",
            "s3:DeleteObject"
         ],
         "Resource":"arn:aws:s3:::BUCKET1/*"
      }
   ]
}

The following identity policy grants permission to perform all actions on all objects in all buckets:

  {
      "Version": "2012-10-17",
      "Statement": [{
          "Sid": "Allow Everything",
          "Action": "*",
          "Effect": "Allow",
          "Resource": "*"
      }]
    }

The following identity policy grants permission to perform the GetObject action on all objects in the bucket dev:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "Allow All GetObject in dev Bucket",
      "Action": [
        "s3:GetObject"
      ],
      "Effect": "Allow",
      "Resource": "arn:aws:s3:::dev/*"
    }
  ]
}

The following identity policy grants permission for multiple actions on the bucket product and on all objects in the same bucket, while also denying delete permission on the same bucket and objects. 

{  "Version": "2012-10-17",
  "Statement": [
    {      
       "Sid": "Allow multiple actions on product bucket and its objects",
      "Action": [
        "s3:Get*",
        "s3:Put*",
        "s3:Head*",
        "s3:List*"
      ],
      "Effect": "Allow",
      "Resource": [
        "arn:aws:s3:::product",
        "arn:aws:s3:::product/*"
      ]
    },
    {
      "Sid": "Deny delete product bucket and objects",
      "Action": [
        "s3:DeleteBucket",
        "s3:DeleteObject"
      ],
      "Effect": "Deny",
      "Resource": [
        "arn:aws:s3:::product",
        "arn:aws:s3:::product/*"
      ]
    }
  ]}
Related articles