Alchemy

Appearance

BucketPolicy

The BucketPolicy resource allows you to manage the access policies for AWS S3Outposts Buckets. It helps define permissions for various actions on your S3Outposts resources.

Minimal Example

Create a basic bucket policy that allows public read access to a specific bucket.

ts
import AWS from "alchemy/aws/control";

const bucketPolicy = await AWS.S3Outposts.BucketPolicy("public-read-policy", {
  Bucket: "my-outposts-bucket",
  PolicyDocument: {
    Version: "2012-10-17",
    Statement: [{
      Effect: "Allow",
      Principal: "*",
      Action: "s3:GetObject",
      Resource: "arn:aws:s3-outposts:us-west-2:123456789012:outpost/my-outposts-bucket/*"
    }]
  },
  adopt: false // Default is false
});

Advanced Configuration

Configure a bucket policy that restricts access to a specific IP range.

ts
const ipRestrictedPolicy = await AWS.S3Outposts.BucketPolicy("ip-restricted-policy", {
  Bucket: "my-outposts-bucket",
  PolicyDocument: {
    Version: "2012-10-17",
    Statement: [{
      Effect: "Allow",
      Principal: {
        AWS: "arn:aws:iam::123456789012:role/MyRole"
      },
      Action: "s3:PutObject",
      Resource: "arn:aws:s3-outposts:us-west-2:123456789012:outpost/my-outposts-bucket/*",
      Condition: {
        IpAddress: {
          "aws:SourceIp": "203.0.113.0/24"
        }
      }
    }]
  }
});

Conditional Access

Create a bucket policy that allows access based on the request's source VPC.

ts
const vpcPolicy = await AWS.S3Outposts.BucketPolicy("vpc-access-policy", {
  Bucket: "my-outposts-bucket",
  PolicyDocument: {
    Version: "2012-10-17",
    Statement: [{
      Effect: "Allow",
      Principal: "*",
      Action: "s3:GetObject",
      Resource: "arn:aws:s3-outposts:us-west-2:123456789012:outpost/my-outposts-bucket/*",
      Condition: {
        StringEquals: {
          "aws:SourceVpc": "vpc-abcdef123"
        }
      }
    }]
  }
});

Multi-Account Access

Establish a policy that allows cross-account access to a bucket.

ts
const crossAccountPolicy = await AWS.S3Outposts.BucketPolicy("cross-account-policy", {
  Bucket: "my-outposts-bucket",
  PolicyDocument: {
    Version: "2012-10-17",
    Statement: [{
      Effect: "Allow",
      Principal: {
        AWS: "arn:aws:iam::098765432109:role/OtherAccountRole"
      },
      Action: "s3:ListBucket",
      Resource: "arn:aws:s3-outposts:us-west-2:123456789012:outpost/my-outposts-bucket"
    }]
  }
});