# How to Configure Bucket Policies

Spaces Object Storage is an S3-compatible service for storing and serving large amounts of data. The built-in Spaces CDN minimizes page load times, improves performance, and reduces bandwidth and infrastructure costs.

[Bucket policies](https://docs.aws.amazon.com/AmazonS3/latest/userguide/bucket-policies.html) define access control rules for Spaces buckets using JSON-based policies. They specify who can access the bucket and what actions they can perform, such as setting access permissions, modifying ACLs, or configuring CORS settings. You can configure and set bucket policies using the Spaces API, AWS CLI, or [`s3cmd`](#configure-bucket-policies-using-s3cmd).

**Note**: Spaces Cold Storage buckets do not support bucket policies. All API requests to Spaces Cold Storage buckets must be signed with valid access keys. For details, see [Spaces Limits](https://docs.digitalocean.com/products/spaces/details/limits/index.html.md).

While [Access Control Lists (ACLs)](https://docs.digitalocean.com/reference/api/spaces/index.html.md#set-a-buckets-acls) provide basic, predefined permissions for individual users or groups, bucket policies offer more flexible, JSON-based rules that enable fine-grained access control for Spaces buckets. Bucket policies are recommended for managing complex permissions and conditional access, while ACLs work well for simple permission settings.

To configure bucket policies with the API, see [Configure a Bucket’s Bucket Policies](https://docs.digitalocean.com/reference/api/spaces/index.html.md#configure-a-buckets-bucket-policies). Alternatively, you can use AWS CLI to [configure bucket policies](https://docs.aws.amazon.com/cli/latest/reference/s3api/put-bucket-policy.html).

## Configure Bucket Policies Using `s3cmd`

You can also configure bucket permissions using `s3cmd`. Below are examples for [setting a public read policy](#set-a-public-read-policy) and [setting a private access policy](#set-a-private-access-policy). Substitute the variables as needed.

#### Set a Public Read Policy

To allow public read access to all objects in a Space, first create a `public-policy.json` file with the following content to allow public read access:

```json
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": "*",
      "Action": "s3:GetObject",
      "Resource": "arn:aws:s3:::your-space-name/*"
    }
  ]
}
```

This `public-policy.json` file contains a valid JSON policy granting public read access to all objects in your specified Space. Set the policy using the following command:

```shell
s3cmd setpolicy public-policy.json s3://your-space-name
```

#### Set a Private Access Policy

To restrict access to only the bucket owner, create a file `private-policy.json` with the following content to restrict access:

```json
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Deny",
      "Principal": "*",
      "Action": "s3:GetObject",
      "Resource": "arn:aws:s3:::your-space-name/*"
    }
  ]
}
```

This `private-policy.json` file applies a policy that ensures only the owner has access to the objects in the Space. Set the policy using the following command:

```shell
s3cmd setpolicy private-policy.json s3://your-space-name
```

For more details, see the [s3cmd documentation](https://docs.digitalocean.com/products/spaces/reference/s3cmd/index.html.md).