The body is a JSON string containing the policy contents containing the policy statements.

The Vault system supports only these bucket policy types:

• Restricting Access to a Specific HTTP Referrer

• Restricting Access to Specific IP Addresses

• Policy for Server-Side Encryption

• Policy for Public Access to Buckets Configured as Websites

Restricting Access to a Specific HTTP Referrer

The only accepted format is the below that allows GetObject on the bucket from only the specified referrer URIs.

{ "Version":"2012-10-17", "Id":"http referer policy example", "Statement":[ { "Sid":"Allow get requests originated from URI-1 and URI-2", "Effect":"Allow", "Principal":"*", "Action":"s3:GetObject", "Resource":"arn:aws:s3:::examplebucket/*", "Condition":{ "StringLike":{ "aws:Referer":["URI-1"] }, "StringLike":{ "aws:Referer":["URI-2"] } } } } ] }

• Multiple "StringLike" conditions can be specified.

• URI value (e.g., URI-1 and URI-2) is compared to HTTP Referer header with case-insensitive matching and multi-character wildcard (*) and single-character wildcard (?).

Restricting Access to Specific IP Addresses

The Vault system supports restricting bucket access to specific source IP addresses, by using the "IpAddress" and/or "NotIpAddress" conditions and the "aws:SourceIp" condition key. The example below allows authenticated users from source address range 54.240.143.* to perform any S3 action — except for users from origin IP address 54.240.143.188, which is forbidden access.

{ "Version": "2012-10-17", "Id": "S3PolicyId1", "Statement": [ { "Sid": "IPAllow", "Effect": "Allow", "Principal": "*", "Action": "s3:*", "Resource": "arn:aws:s3:::examplebucket/*", "Condition" : { "IpAddress" : { "aws:SourceIp": "54.240.143.0/24" }, "NotIpAddress" : { "aws:SourceIp": "54.240.143.188/32" } } } ] }

Policy for Server-Side Encryption

The Vault systems supports bucket policies that mandate server-side encryption (so that object upload requests are rejected if they omit the server-side encryption request header) or that forbid server-side encryption (so that object upload requests are rejected if they include the server-side encryption request header).

For example, the policy below requires all PUT Object requests to include the encryption request header:

{ "Version":"2012-10-17", "Id":"PutObjPolicy", "Statement":[{ "Sid":"DenyUnEncryptedObjectUploads", "Effect":"Deny", "Principal":"*" "Action":"s3:PutObject", "Resource":"arn:aws:s3:::YourBucket/*", "Condition":{ "StringNotEquals":{ "s3:x-amz-server-side-encryption":"AES256" } } } ] }

Policy for Public Access to Buckets Configured as Websites

If you have configured a bucket as a static website (using PUT Bucket Website), you can establish a bucket policy that allows public access to the website:

{ "Version":"2012-10-17", "Statement":[{ "Sid":"PublicReadForGetBucketObjects", "Effect":"Allow", "Principal": "*" "Action":["s3:GetObject"], "Resource":["arn:aws:s3:::example-bucket/*" ] } ] }

For further information, see the Amazon documentation on Setting Up a Website.