The policies use bucket and examplebucket strings in the resource value. To test these policies, replace these strings with your bucket name. You can use the AWS Policy Generator to create a bucket policy for your Amazon S3 bucket. You can then use the generated document to set your bucket policy by using the Amazon S3 console, through several third-party tools, or via your application.


hen testing permissions using the Amazon S3 console, you will need to grant additional permissions that the console requires—s3:ListAllMyBuckets, s3:GetBucketLocation, and s3:ListBucket permissions. For an example walkthrough that grants permissions to users and tests them using the console.


  1. Granting Permissions to Multiple Accounts with Added Conditions
    • The following example policy grants the s3:PutObject and s3:PutObjectAcl permissions to multiple AWS accounts and requires that any request for these operations include the public-read canned access control list (ACL).
  2. Restricting Access to Specific IP Addresses
    • The Condition block uses the NotIpAddress condition and the aws:SourceIp condition key, which is an AWS-wide condition key. For more information about these condition keys, see Amazon S3 Condition Keys. The aws:SourceIp IPv4 values use the standard CIDR notation. 
  3. Allowing IPv4 and IPv6 Addresses
    • When you start using IPv6 addresses, we recommend that you update all of your organization's policies with your IPv6 address ranges in addition to your existing IPv4 ranges to ensure that the policies continue to work as you make the transition to IPv6.
  4. Restricting Access to a Specific HTTP Referer
    1. Suppose that you have a website with a domain name ( or with links to photos and videos stored in your Amazon S3 bucket, examplebucket. By default, all the Amazon S3 resources are private, so only the AWS account that created the resources can access them. 

Default: S3 buckets have policies