# Bucket Policy Configuration

Bucket Policy is used to manage access control for a bucket by defining who can access it and what actions they can perform. It allows secure and fine-grained permission management using a JSON policy. By applying a bucket policy, specific users can be granted limited access such as read-only or download permissions without changing the bucket’s visibility. This ensures better security and controlled usage of object storage resources.\ <br>

Prerequisite – User Management

1. Go to **Users → Users**
2. Confirm that your sub-user is created and active.

<figure><img src="https://2683631041-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FPPVG4W649TwXN8OejRhb%2Fuploads%2FBE9iExe1DM64jm6EMJIo%2Fimage.png?alt=media&#x26;token=c8b13cda-f58d-4a56-aa0f-bf33e707f3a9" alt=""><figcaption></figcaption></figure>

Steps to Configure Bucket Policy:<br>

* Navigate to **Buckets** from the left menu.
* Select your required bucket, Click on **Bucket Settings**. then Open the **Access Control & Permissions** tab.

<figure><img src="https://2683631041-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FPPVG4W649TwXN8OejRhb%2Fuploads%2FsqeeCD7boYhtkeUYqBvE%2Fimage.png?alt=media&#x26;token=56d23f19-e8ef-4772-8847-fcf31428972d" alt=""><figcaption></figcaption></figure>

In the policy editor, paste the required JSON policy

{% code expandable="true" %}

```
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": [
          "arn:aws:iam:::user/708c9b68-ba14-411f-bb4e-9c7a7dd7a617:accessuser"
        ]
      },
      "Action": "s3:GetObject",
      "Resource": [
        "arn:aws:s3:::prertest/*"
      ]
    }
  ]
}


```

{% endcode %}

{% hint style="info" %}
**Make sure first of all create a** [**USER**](https://docs.zata.ai/user)**.**
{% endhint %}

In this policy, the following values are defined:

* **Effect:** `Allow`\
  This specifies that the permission is granted.
* **Principal:**\
  The sub-user to whom access is given. In this case, the sub-user **accessuser** is used:

  ```
  {"AWS": ["arn:aws:iam:::user/708c9b68-ba14-411f-bb4e-9c7a7dd7a617:accessuser"]}
  ```
* **Action:** `s3:GetObject`\
  This allows the user to read and download objects from the bucket.
* **Resource:**

  ```
  arn:aws:s3:::prertest/*
  ```

  This applies the permission to all objects inside the **prertest** bucket.

<figure><img src="https://2683631041-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FPPVG4W649TwXN8OejRhb%2Fuploads%2FxH47cpOkKtoe8BrT7JKt%2Fimage.png?alt=media&#x26;token=e7b63afa-364f-46ca-90f2-5757f3736958" alt=""><figcaption></figcaption></figure>

Click on **Validate Policy** to verify the syntax and structure of the policy.After successful validation, click on **Save** to apply the policy.\
\
\
**Delete the Bucket policy:**

To delete a bucket policy, navigate to *Buckets → Bucket Settings → Access Control & Permissions*, clear the existing policy from the Bucket Policy editor, and click **Save**. This removes all custom access rules applied to the bucket.