Configuring Permission Policies

A bucket owner can perform the PUT Bucket Policy operation to set an access policy for the bucket. A new policy will overwrite the existing one. A bucket owner can also perform the Get Bucket Policy or Delete Bucket Policy operation to obtain or delete the existing bucket policy. After a bucket policy is set, all the requests to access the bucket are subject to this policy. For example, a request may be accepted or rejected. The description of a policy determines whether a request will be accepted or rejected.

When a bucket policy checks the permission in a statement, the result is Explicit DenyAllow, or Default Deny. If a bucket policy contains multiple statements, the policy checks every statement and determines which statement result prevails according to the following rule: explicit deny > allow > default deny.

  1. If conditions in any statement of a policy are not met, the policy results in a default deny.
  2. An explicit deny overrides allows.
  3. An allow overrides default denies.
  4. The order of statements does not affect the result.

A bucket owner can configure a bucket policy or the ACL to control the access permission for the bucket. The permission rule configured in a bucket policy has higher priority than that defined by the ACL.