Alchemy

Appearance

BucketPolicy

The BucketPolicy resource allows you to manage AWS S3 Bucket Policies to control access to your S3 buckets. This resource helps define the permissions for who can access the bucket and what actions they can perform.

Minimal Example

Create a basic S3 bucket policy that grants read access to all users.

ts
import AWS from "alchemy/aws/control";

const bucketPolicy = await AWS.S3.BucketPolicy("publicReadPolicy", {
  Bucket: "my-public-bucket",
  PolicyDocument: {
    Version: "2012-10-17",
    Statement: [
      {
        Effect: "Allow",
        Principal: "*",
        Action: "s3:GetObject",
        Resource: "arn:aws:s3:::my-public-bucket/*"
      }
    ]
  }
});

Advanced Configuration

Configure a bucket policy that restricts access to specific IP addresses and allows both read and write actions.

ts
const restrictedAccessPolicy = await AWS.S3.BucketPolicy("restrictedPolicy", {
  Bucket: "my-restricted-bucket",
  PolicyDocument: {
    Version: "2012-10-17",
    Statement: [
      {
        Effect: "Allow",
        Principal: "*",
        Action: ["s3:GetObject", "s3:PutObject"],
        Resource: "arn:aws:s3:::my-restricted-bucket/*",
        Condition: {
          IpAddress: {
            "aws:SourceIp": "203.0.113.0/24"
          }
        }
      }
    ]
  }
});

Conditional Access Policy

Create a bucket policy that allows access only if a specific tag is present on the request.

ts
const conditionalAccessPolicy = await AWS.S3.BucketPolicy("taggedAccessPolicy", {
  Bucket: "my-tagged-bucket",
  PolicyDocument: {
    Version: "2012-10-17",
    Statement: [
      {
        Effect: "Allow",
        Principal: "*",
        Action: "s3:GetObject",
        Resource: "arn:aws:s3:::my-tagged-bucket/*",
        Condition: {
          StringEquals: {
            "s3:ExistingObjectTag/Access": "granted"
          }
        }
      }
    ]
  }
});

Multi-Account Access

Set up a bucket policy that allows another AWS account to access your S3 bucket.

ts
const crossAccountPolicy = await AWS.S3.BucketPolicy("crossAccountPolicy", {
  Bucket: "my-cross-account-bucket",
  PolicyDocument: {
    Version: "2012-10-17",
    Statement: [
      {
        Effect: "Allow",
        Principal: {
          AWS: "arn:aws:iam::123456789012:root"
        },
        Action: "s3:*",
        Resource: [
          "arn:aws:s3:::my-cross-account-bucket",
          "arn:aws:s3:::my-cross-account-bucket/*"
        ]
      }
    ]
  }
});