# Creating an e3 Bucket Policy to Allow Specific File Extensions In this guide we will explain how to create an e3 bucket policy that restricts uploads to only allow files with specific extensions (e.g., only `.zip` files) for a particular user. All other file types will be denied. **Basic Policy Structure** This policy uses the same JSON structure as described in "[Understanding and Creating a Basic e3 Bucket Policy](/e3-object-storage/understanding-and-creating-a-basic-e3-bucket-policy.md)." Ensure you are familiar with `Version`, `Statement`, `Sid`, `Effect`, `Principal`, `Action`, and `Resource`. You will also need your **Account ID** and **Username** from the eazyBackup e3 Cloud Storage Dashboard (Access Keys page) to construct the `Principal` ARN: `arn:aws:iam::ACCOUNT_ID:user/USERNAME`. **The Logic: Deny if NOT the Allowed Type** To allow only specific file extensions, we use a `Deny` rule. The logic is: "Deny the upload action if the file being uploaded is **NOT** one of the allowed types." This is achieved using the `NotResource` element. **Example Policy: Allow Only `.zip` File Uploads** This policy will deny the user from uploading any file to `your-bucket-name` unless the file has a `.zip` extension. 1. **You will need to replace the placeholders**: * `your-account-id` with your actual Account ID. * `your-username` with your actual Username. * `your-bucket-name` with the name of the bucket. 2. **Policy JSON**: ``` { "Version": "2012-10-17", "Statement": [ { "Sid": "AllowOnlyZipUploads", "Effect": "Deny", "Principal": { "AWS": [ "arn:aws:iam::your-account-id:user/your-username" ] }, "Action": [ "s3:PutObject" ], "NotResource": [ "arn:aws:s3:::your-bucket-name/*.zip" ] } ] } ``` **Explanation of the Example Policy:** * `"Sid": "AllowOnlyZipUploads"`: A descriptive name for this rule. * `"Effect": "Deny"`: This rule will prevent uploads if the condition (defined by `NotResource`) is met. * `"Principal": { "AWS": ["arn:aws:iam::your-account-id:user/your-username"] }`: Identifies the specific e3 user this rule applies to. * `"Action": ["s3:PutObject"]`: Specifies that the action being controlled is uploading objects. * `"NotResource": ["arn:aws:s3:::your-bucket-name/*.zip"]`: This means the `Deny` effect applies if the object being uploaded does **NOT** match the pattern `arn:aws:s3:::your-bucket-name/*.zip`. * If a user tries to upload `archive.zip`, its resource name matches the pattern in `NotResource`. Therefore, this `Deny` rule does **not** apply, and the upload is effectively allowed (assuming no other Deny rules prevent it). * If a user tries to upload `document.txt`, its resource name does **not** match `*.zip`. Thus, the `Deny` rule **will** apply, and the upload is blocked. * Make sure to note the use of arrays `[]` for `Principal.AWS`, `Action`, and `NotResource` values. **Adapt this for Other or Multiple File Extensions:** * **Different Single Extension:** To allow only `.jpg` files, change `*.zip` to `*.jpg` in the `NotResource` ARN: `"arn:aws:s3:::your-bucket-name/*.jpg"` * **Multiple Allowed Extensions:** If you want to allow multiple extensions (e.g., `.jpg` and `.png`), add each pattern as a separate string in the `NotResource` array: ``` "NotResource": [ "arn:aws:s3:::your-bucket-name/*.jpg", "arn:aws:s3:::your-bucket-name/*.png" ] ``` * In this example, the `Deny` will apply if the file is not a `.jpg` AND not a `.png`. **Applying the Policy** Save your policy to a JSON file and apply it using an S3-compatible tool like the AWS CLI, that is set up with the e3 service endpoint. Example: `aws s3api put-bucket-policy --bucket your-bucket-name --policy file://allow-zips-policy.json --endpoint-url ` **Important:** * **Testing is Important:** After applying the policy, test by trying to upload allowed file types (which should succeed) and disallowed file types (which should be denied). * This policy specifically controls the `s3:PutObject` action. If users need other permissions (like deleting specific file types), you would need additional or different policy statements. Please feel free to ask our team for assistance creating a policy that meets your requirements. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.eazybackup.com/e3-object-storage/creating-an-e3-bucket-policy-to-allow-specific-file-extensions.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.