Creating an e3 Bucket Policy to Allow Specific File Extensions
In this guide we will explain how to create an e3 bucket policy that restricts uploads to only allow files with specific extensions (e.g., only .zip
files) for a particular user. All other file types will be denied.
Basic Policy Structure
This policy uses the same JSON structure as described in "Understanding and Creating a Basic e3 Bucket Policy." Ensure you are familiar with Version
, Statement
, Sid
, Effect
, Principal
, Action
, and Resource
.
You will also need your Tenant ID and Username from the eazyBackup e3 Cloud Storage Dashboard (Access Keys page) to construct the Principal
ARN: arn:aws:iam::TENANT_ID:user/USERNAME
.
The Logic: Deny if NOT the Allowed Type
To allow only specific file extensions, we use a Deny
rule. The logic is: "Deny the upload action if the file being uploaded is NOT one of the allowed types." This is achieved using the NotResource
element.
Example Policy: Allow Only .zip
File Uploads
This policy will deny the user from uploading any file to your-bucket-name
unless the file has a .zip
extension.
You will need to replace the placeholders:
your-tenant-id
with your actual Tenant ID.your-username
with your actual Username.your-bucket-name
with the name of the bucket.
Policy JSON:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowOnlyZipUploads",
"Effect": "Deny",
"Principal": {
"AWS": [
"arn:aws:iam::your-tenant-id:user/your-username"
]
},
"Action": [
"s3:PutObject"
],
"NotResource": [
"arn:aws:s3:::your-bucket-name/*.zip"
]
}
]
}
Explanation of the Example Policy:
"Sid": "AllowOnlyZipUploads"
: A descriptive name for this rule."Effect": "Deny"
: This rule will prevent uploads if the condition (defined byNotResource
) is met."Principal": { "AWS": ["arn:aws:iam::your-tenant-id:user/your-username"] }
: Identifies the specific e3 user this rule applies to."Action": ["s3:PutObject"]
: Specifies that the action being controlled is uploading objects."NotResource": ["arn:aws:s3:::your-bucket-name/*.zip"]
: This means theDeny
effect applies if the object being uploaded does NOT match the patternarn:aws:s3:::your-bucket-name/*.zip
.If a user tries to upload
archive.zip
, its resource name matches the pattern inNotResource
. Therefore, thisDeny
rule does not apply, and the upload is effectively allowed (assuming no other Deny rules prevent it).If a user tries to upload
document.txt
, its resource name does not match*.zip
. Thus, theDeny
rule will apply, and the upload is blocked.
Make sure to note the use of arrays
[]
forPrincipal.AWS
,Action
, andNotResource
values.
Adapt this for Other or Multiple File Extensions:
Different Single Extension: To allow only
.jpg
files, change*.zip
to*.jpg
in theNotResource
ARN:"arn:aws:s3:::your-bucket-name/*.jpg"
Multiple Allowed Extensions: If you want to allow multiple extensions (e.g.,
.jpg
and.png
), add each pattern as a separate string in theNotResource
array:
"NotResource": [
"arn:aws:s3:::your-bucket-name/*.jpg",
"arn:aws:s3:::your-bucket-name/*.png"
]
In this example, the
Deny
will apply if the file is not a.jpg
AND not a.png
.
Applying the Policy
Save your policy to a JSON file and apply it using an S3-compatible tool like the AWS CLI, that is set up with the e3 service endpoint. Example: aws s3api put-bucket-policy --bucket your-bucket-name --policy file://allow-zips-policy.json --endpoint-url <e3_endpoint_url>
Important:
Testing is Important: After applying the policy, test by trying to upload allowed file types (which should succeed) and disallowed file types (which should be denied).
This policy specifically controls the
s3:PutObject
action. If users need other permissions (like deleting specific file types), you would need additional or different policy statements. Please feel free to ask our team for assistance creating a policy that meets your requirements.
Last updated
Was this helpful?