Creating an e3 Bucket Policy to Allow Specific File Extensions
Last updated
Was this helpful?
Last updated
Was this helpful?
In this guide we will explain how to create an e3 bucket policy that restricts uploads to only allow files with specific extensions (e.g., only .zip
files) for a particular user. All other file types will be denied.
Basic Policy Structure
This policy uses the same JSON structure as described in "." Ensure you are familiar with Version
, Statement
, Sid
, Effect
, Principal
, Action
, and Resource
.
You will also need your Tenant ID and Username from the eazyBackup e3 Cloud Storage Dashboard (Access Keys page) to construct the Principal
ARN: arn:aws:iam::TENANT_ID:user/USERNAME
.
The Logic: Deny if NOT the Allowed Type
To allow only specific file extensions, we use a Deny
rule. The logic is: "Deny the upload action if the file being uploaded is NOT one of the allowed types." This is achieved using the NotResource
element.
Example Policy: Allow Only .zip
File Uploads
This policy will deny the user from uploading any file to your-bucket-name
unless the file has a .zip
extension.
You will need to replace the placeholders:
your-tenant-id
with your actual Tenant ID.
your-username
with your actual Username.
your-bucket-name
with the name of the bucket.
Policy JSON:
Explanation of the Example Policy:
"Sid": "AllowOnlyZipUploads"
: A descriptive name for this rule.
"Effect": "Deny"
: This rule will prevent uploads if the condition (defined by NotResource
) is met.
"Principal": { "AWS": ["arn:aws:iam::your-tenant-id:user/your-username"] }
: Identifies the specific e3 user this rule applies to.
"Action": ["s3:PutObject"]
: Specifies that the action being controlled is uploading objects.
"NotResource": ["arn:aws:s3:::your-bucket-name/*.zip"]
: This means the Deny
effect applies if the object being uploaded does NOT match the pattern arn:aws:s3:::your-bucket-name/*.zip
.
If a user tries to upload archive.zip
, its resource name matches the pattern in NotResource
. Therefore, this Deny
rule does not apply, and the upload is effectively allowed (assuming no other Deny rules prevent it).
If a user tries to upload document.txt
, its resource name does not match *.zip
. Thus, the Deny
rule will apply, and the upload is blocked.
Make sure to note the use of arrays []
for Principal.AWS
, Action
, and NotResource
values.
Adapt this for Other or Multiple File Extensions:
Different Single Extension: To allow only .jpg
files, change *.zip
to *.jpg
in the NotResource
ARN: "arn:aws:s3:::your-bucket-name/*.jpg"
Multiple Allowed Extensions: If you want to allow multiple extensions (e.g., .jpg
and .png
), add each pattern as a separate string in the NotResource
array:
In this example, the Deny
will apply if the file is not a .jpg
AND not a .png
.
Applying the Policy
Save your policy to a JSON file and apply it using an S3-compatible tool like the AWS CLI, that is set up with the e3 service endpoint. Example: aws s3api put-bucket-policy --bucket your-bucket-name --policy file://allow-zips-policy.json --endpoint-url <e3_endpoint_url>
Important:
Testing is Important: After applying the policy, test by trying to upload allowed file types (which should succeed) and disallowed file types (which should be denied).
This policy specifically controls the s3:PutObject
action. If users need other permissions (like deleting specific file types), you would need additional or different policy statements. Please feel free to ask our team for assistance creating a policy that meets your requirements.