[Yandex Cloud documentation](../../../index.md) > [Yandex Object Storage](../../index.md) > [Step-by-step guides](../index.md) > Buckets > Managing access policies

# Managing a bucket policy

Object Storage incorporates several access management mechanisms. To learn how these mechanisms interact, see [Access management methods in Object Storage: Overview](../../security/overview.md).

[Bucket policies](../../concepts/policy.md) set permissions for operations with [buckets](../../concepts/bucket.md), [objects](../../concepts/object.md), and object groups.

For examples of bucket policies for specific use cases, see [Configuration examples](../../concepts/policy.md#config-examples).


{% note warning %}

If you want to assign an access policy to a bucket and connect to this bucket from a Apache Hive™ Metastore or Yandex Managed Service for Apache Airflow™ cluster, you will need some additional infrastructure setup. For more information, see these guides for [Apache Hive™ Metastore](../../../metadata-hub/operations/metastore/s3-policy-connect.md) and [Managed Service for Apache Airflow™](../../../managed-airflow/operations/s3-policy-connect.md).

{% endnote %}


## Applying or updating a policy {#apply-policy}

The minimum role required to apply or update a bucket policy is `storage.configurer`. For more information, see the [role description](../../security/index.md#storage-configurer).

{% note info %}

If the bucket already had a bucket policy configured, it will be completely overwritten once you apply the changes.

{% endnote %}

To apply or update a bucket policy:

{% list tabs group=instructions %}

- Management console {#console}

  1. In the [management console](https://console.yandex.cloud), select a folder.
  1. Navigate to **Object Storage**.
  1. Select the bucket to configure an access policy in.
  1. In the left-hand panel, select ![image](../../../_assets/console-icons/persons-lock.svg) **Security** and go to the **Access policy** tab.
  1. Click **Configure access**.
  1. Enter a bucket policy ID.
  1. Set up a rule:
     1. Enter a rule ID.
     1. Configure rule settings:
        * **Result**: Allow or deny.
        * **Selection principle**: Include or exclude users.
        * **User**: Select all users or list specific subjects.

            To list specific subjects:
            
            * Select `Select users`.

            * Select the [subjects](../../../iam/concepts/access-control/index.md#subject) you need from the list. To do this, place the cursor in the subject input field, then select the required [user](../../../overview/roles-and-resources.md#users), [service account](../../../iam/concepts/users/service-accounts.md), [user group](../../../organization/concepts/groups.md), [system group](../../../iam/concepts/access-control/system-group.md), or [public group](../../../iam/concepts/access-control/public-group.md) in the form that appears. If required, use the relevant tabs in the form or the search bar to find a subject by name or email address.

                You can select multiple subjects; to do this, select them one by one.

        * **Action** for which you are creating the rule. You can also enable **All actions**.
        * **Resource**: Defaults to the selected bucket. To add other resources to the rule, click **Add resource**.

            {% note info %}

            A bucket resource does not include resources of all its objects. To make sure a bucket policy rule refers to the bucket and all the objects, specify them as separate resources, e.g., `samplebucket` and `samplebucket/*`.

            {% endnote %}

     1. If required, add a [condition](../../s3/api-ref/policy/conditions.md) for the rule:
        * Select **Key** from the list.
        * Select **Operator** from the list. If you want the operator to apply solely to the existing fields, select **Apply if the field exists**. This way, if the field is missing, the condition will be considered met.
        * Specify **Value**.
        * Click **Add value** to add another value to the condition.

        You can set multiple conditions for a rule and specify multiple keys for each condition. These conditions and their keys will be checked using the logical `AND`, i.e., the request must meet all the specified criteria at once.

        You can set multiple values for each condition key at the same time. These values will be checked using the logical `OR`, i.e., the request must match any of the specified condition key values.

  1. Add other rules and configure them as needed.
  1. Optionally, to allow access to the bucket through the management console, click **Add console access rule**. For more information, see [Bucket access via the management console](../../concepts/policy.md#console-access).
  1. Click **Save** and confirm deletion.

- Yandex Cloud CLI {#cli}

  If you do not have the Yandex Cloud CLI yet, [install and initialize it](../../../cli/quickstart.md#install).

  The folder used by default is the one specified when [creating](../../../cli/operations/profile/profile-create.md) the CLI profile. To change the default folder, use the `yc config set folder-id <folder_ID>` command. You can also specify a different folder for any command using `--folder-name` or `--folder-id`. If you access a resource by its name, the search will be limited to the default folder. If you access a resource by its ID, the search will be global, i.e., through all folders based on access permissions.

  1. See the description of the CLI command for editing a bucket ACL:

     ```bash
     yc storage bucket update --help
     ```

  1. Describe your bucket policy configuration as a JSON [data schema](../../s3/api-ref/policy/scheme.md):

     ```json
     {
       "Version": "2012-10-17",
       "Statement": {
         "Effect": "Allow",
         "Principal": "*",
         "Action": "s3:GetObject",
         "Resource": "arn:aws:s3:::<bucket_name>/*",
         "Condition": {
           "Bool": {
             "aws:SecureTransport": "true"
           }
         }
       }
     }
     ```

     Where:

     * `Version`: Version of the bucket policy description. This is an optional setting.
     * `Statement`: Bucket policy rules:
       * `Effect`: Deny or allow the requested action. The possible values are `Allow` and `Deny`.
       * `Principal`: ID of the subject requesting the permission. You can request permissions for a [user](../../../organization/operations/users-get.md), [service account](../../../iam/operations/sa/get-id.md), or [user group](../../../organization/operations/manage-groups.md). This is an optional setting. The possible values are:
         * `"*"`
         * `"CanonicalUser": "<subject_ID>"`

         You can get the IDs in the following ways:

         * [User](../../../organization/operations/users-get.md).
         * [Service account](../../../iam/operations/sa/get-id.md).
         * User group: Navigate to the [**Groups**](https://center.yandex.cloud/organization/groups) tab in the Cloud Center interface.

       * `Action`: [Action](../../s3/api-ref/policy/actions.md) to allow when the policy is triggered. The possible values are `s3:GetObject`, `s3:PutObject`, and `*` (if you need to apply the policy to all actions).
       * `Resource`: Resource to apply the rule to.
       * `Condition`: [Condition](../../s3/api-ref/policy/conditions.md) to check. This is an optional setting.

         You can set multiple conditions for a rule and specify multiple keys for each condition. These conditions and their keys will be checked using the logical `AND`, i.e., the request must meet all the specified criteria at once.

         You can set multiple values for each condition key at the same time. These values will be checked using the logical `OR`, i.e., the request must match any of the specified condition key values.

  1. Run this command:

     ```bash
     yc storage bucket update \
       --name <bucket_name> \
       --policy-from-file <policy_file_path>
     ```

     Result:

     ```text
     name: my-bucket
     folder_id: csgeoelk7fl1********
     default_storage_class: STANDARD
     versioning: VERSIONING_SUSPENDED
     max_size: "10737418240"
     policy:
         Statement:
           Action: s3:GetObject
           Condition:
             Bool:
               aws:SecureTransport: "true"
             Effect: Allow
             Principal: '*'
             Resource: arn:aws:s3:::my-bucket
           Version: "2012-10-17"
     acl: {}
     created_at: "2022-12-14T08:42:16.273717Z"
     ```

- AWS CLI {#aws-cli}

  {% note info %}

  To manage a policy using the AWS CLI, a service account needs the `storage.admin` [role](../../security/index.md#storage-admin).

  {% endnote %}

  If you do not have the AWS CLI yet, [install and configure it](../../tools/aws-cli.md).

  1. Describe your bucket policy configuration as a JSON [data schema](../../s3/api-ref/policy/scheme.md):

     ```json
     {
       "Version": "2012-10-17",
       "Statement": {
         "Effect": "Allow",
         "Principal": "*",
         "Action": "s3:GetObject",
         "Resource": "arn:aws:s3:::<bucket_name>/*",
         "Condition": {
           "Bool": {
             "aws:SecureTransport": "true"
           }
         }
       }
     }
     ```

     Where:

     * `Version`: Version of the bucket policy description. This is an optional setting.
     * `Statement`: Bucket policy rules:
       * `Effect`: Deny or allow the requested action. The possible values are `Allow` and `Deny`.
       * `Principal`: ID of the subject requesting the permission. You can request permissions for a [user](../../../organization/operations/users-get.md), [service account](../../../iam/operations/sa/get-id.md), or [user group](../../../organization/operations/manage-groups.md). This is an optional setting. The possible values are:
         * `"*"`
         * `"CanonicalUser": "<subject_ID>"`

         You can get the IDs in the following ways:

         * [User](../../../organization/operations/users-get.md).
         * [Service account](../../../iam/operations/sa/get-id.md).
         * User group: Navigate to the [**Groups**](https://center.yandex.cloud/organization/groups) tab in the Cloud Center interface.

       * `Action`: [Action](../../s3/api-ref/policy/actions.md) to allow when the policy is triggered. The possible values are `s3:GetObject`, `s3:PutObject`, and `*` (if you need to apply the policy to all actions).
       * `Resource`: Resource to apply the rule to.
       * `Condition`: [Condition](../../s3/api-ref/policy/conditions.md) to check. This is an optional setting.

         You can set multiple conditions for a rule and specify multiple keys for each condition. These conditions and their keys will be checked using the logical `AND`, i.e., the request must meet all the specified criteria at once.

         You can set multiple values for each condition key at the same time. These values will be checked using the logical `OR`, i.e., the request must match any of the specified condition key values.

     Once the configuration is complete, save it to a file named `policy.json`.
  1. Run this command:

     ```bash
     aws s3api put-bucket-policy \
       --endpoint https://storage.yandexcloud.net \
       --bucket <bucket_name> \
       --policy file://policy.json
     ```

- Terraform {#tf}

  {% note info %}
  
  If you access Object Storage via Terraform under a [service account](../../../iam/concepts/users/service-accounts.md), [assign](../../../iam/operations/sa/assign-role-for-sa.md) to the service account the relevant [role](../../security/index.md#roles-list), e.g., `storage.admin`, for the folder you are going to create the resources in.
  
  {% endnote %}

  If you do not have Terraform yet, [install it and configure the Yandex Cloud provider](../../../tutorials/infrastructure-management/terraform-quickstart.md#install-terraform).
  
  
  To manage infrastructure using Terraform under a service account or user accounts (a Yandex account, a federated account, or a local user), [authenticate](../../../terraform/authentication.md) using the appropriate method.

  By default, Terraform uses an IAM token for authentication in Object Storage. In addition to an IAM token, you can use a service account and static access keys for authentication in Object Storage. For more information about Terraform authentication in Object Storage, see the [relevant provider documentation](../../../terraform/resources/storage_bucket.md).


  To edit a bucket policy, you can use these resources:
  * [yandex_storage_bucket_policy](#tf-storage-bucket-policy)
  * [yandex_storage_bucket](#tf-storage-bucket) (obsolete)

  **yandex_storage_bucket_policy** {#tf-storage-bucket-policy}

  1. Open the Terraform configuration file and specify the policy using the `yandex_storage_bucket_policy` resource:

     ```hcl
     resource "yandex_storage_bucket_policy" "bpolicy" {
       bucket = "my-policy-bucket"
       policy = <<POLICY
     {
       "Version": "2012-10-17",
       "Statement": [
         {
           "Effect": "Allow",
           "Principal": "*",
           "Action": "s3:*",
           "Resource": [
             "arn:aws:s3:::my-policy-bucket/*",
             "arn:aws:s3:::my-policy-bucket"
           ]
         },
         {
           "Effect": "Deny",
           "Principal": "*",
           "Action": "s3:PutObject",
           "Resource": [
             "arn:aws:s3:::my-policy-bucket/*",
             "arn:aws:s3:::my-policy-bucket"
           ]
         }
       ]
     }
     POLICY
     }
     ```

     Where:
     
     * `bucket`: Bucket name. This is a required parameter.
     * `policy`: Policy name. This is a required parameter.
     
     Policy settings:
     
     * `Version`: Version of the bucket policy description. This is a required parameter. The only supported value is `2012-10-17`.
     * `Statement`: Bucket policy rules:
       * `Effect`: Deny or allow the requested action. The possible values are `Allow` and `Deny`.
       * `Principal`: ID of the subject requesting the permission. You can request permissions for a [user](../../../organization/operations/users-get.md), [service account](../../../iam/operations/sa/get-id.md), or [user group](../../../organization/operations/manage-groups.md). This is an optional setting. The possible values are:
         * `"*"`
         * `"CanonicalUser": "<subject_ID>"`
     
         You can get the IDs in the following ways:
     
         * [User](../../../organization/operations/users-get.md).
         * [Service account](../../../iam/operations/sa/get-id.md).
         * User group: Navigate to the [**Groups**](https://center.yandex.cloud/organization/groups) tab in the Cloud Center interface.
     
       * `Action`: [Action](../../s3/api-ref/policy/actions.md) to allow when the policy is triggered. Examples of possible values: `s3:GetObject`, `s3:PutObject`. Use `*` if you need to apply the policy to all actions.
       * `Resource`: Resource to apply the rule to.
       * `Condition`: [Condition](../../s3/api-ref/policy/conditions.md) to check. This is an optional setting.
     
         You can set multiple conditions for a rule and specify multiple keys for each condition. These conditions and their keys will be checked using the logical `AND`, i.e., the request must meet all the specified criteria at once.
     
         You can set multiple values for each condition key at the same time. These values will be checked using the logical `OR`, i.e., the request must match any of the specified condition key values.

     For more information about the `yandex_storage_bucket_policy` properties, see [this provider guide](../../../terraform/resources/storage_bucket_policy.md).

  1. Apply the changes:

     1. In the terminal, navigate to the configuration file directory.
     1. Make sure the configuration is correct using this command:
     
        ```bash
        terraform validate
        ```
     
        If the configuration is valid, you will get this message:
     
        ```bash
        Success! The configuration is valid.
        ```
     
     1. Run this command:
     
        ```bash
        terraform plan
        ```
     
        You will see a list of resources and their properties. No changes will be made at this step. Terraform will show any errors in the configuration.
     1. Apply the configuration changes:
     
        ```bash
        terraform apply
        ```
     
     1. Type `yes` and press **Enter** to confirm the changes.

     You can check the update using the [management console](https://console.yandex.cloud).

  **yandex_storage_bucket (obsolete)** {#tf-storage-bucket}

  1. Open the Terraform configuration file and specify the policy in the `policy` parameter for the `yandex_storage_bucket` resource:

     ```hcl
     resource "yandex_storage_bucket" "mybucket" {
       bucket     = "my-policy-bucket"
       policy     = <<POLICY
     {
       "Version": "2012-10-17",
       "Statement": [
         {
           "Effect": "Allow",
           "Principal": "*",
           "Action": "s3:*",
           "Resource": [
             "arn:aws:s3:::my-policy-bucket/*",
             "arn:aws:s3:::my-policy-bucket"
           ]
         },
         {
           "Effect": "Deny",
           "Principal": "*",
           "Action": "s3:PutObject",
           "Resource": [
             "arn:aws:s3:::my-policy-bucket/*",
             "arn:aws:s3:::my-policy-bucket"
           ]
         }
       ]
     }
     POLICY
     }
     ```

     Where:
     
     * `bucket`: Bucket name. This is a required parameter.
     * `policy`: Policy name. This is a required parameter.
     
     Policy settings:
     
     * `Version`: Version of the bucket policy description. This is a required parameter. The only supported value is `2012-10-17`.
     * `Statement`: Bucket policy rules:
       * `Effect`: Deny or allow the requested action. The possible values are `Allow` and `Deny`.
       * `Principal`: ID of the subject requesting the permission. You can request permissions for a [user](../../../organization/operations/users-get.md), [service account](../../../iam/operations/sa/get-id.md), or [user group](../../../organization/operations/manage-groups.md). This is an optional setting. The possible values are:
         * `"*"`
         * `"CanonicalUser": "<subject_ID>"`
     
         You can get the IDs in the following ways:
     
         * [User](../../../organization/operations/users-get.md).
         * [Service account](../../../iam/operations/sa/get-id.md).
         * User group: Navigate to the [**Groups**](https://center.yandex.cloud/organization/groups) tab in the Cloud Center interface.
     
       * `Action`: [Action](../../s3/api-ref/policy/actions.md) to allow when the policy is triggered. Examples of possible values: `s3:GetObject`, `s3:PutObject`. Use `*` if you need to apply the policy to all actions.
       * `Resource`: Resource to apply the rule to.
       * `Condition`: [Condition](../../s3/api-ref/policy/conditions.md) to check. This is an optional setting.
     
         You can set multiple conditions for a rule and specify multiple keys for each condition. These conditions and their keys will be checked using the logical `AND`, i.e., the request must meet all the specified criteria at once.
     
         You can set multiple values for each condition key at the same time. These values will be checked using the logical `OR`, i.e., the request must match any of the specified condition key values.

     For more information about the `yandex_storage_bucket` properties, see [this provider guide](../../../terraform/resources/storage_bucket.md).

  1. Apply the changes:

     1. In the terminal, navigate to the configuration file directory.
     1. Make sure the configuration is correct using this command:
     
        ```bash
        terraform validate
        ```
     
        If the configuration is valid, you will get this message:
     
        ```bash
        Success! The configuration is valid.
        ```
     
     1. Run this command:
     
        ```bash
        terraform plan
        ```
     
        You will see a list of resources and their properties. No changes will be made at this step. Terraform will show any errors in the configuration.
     1. Apply the configuration changes:
     
        ```bash
        terraform apply
        ```
     
     1. Type `yes` and press **Enter** to confirm the changes.

     You can check the update using the [management console](https://console.yandex.cloud).

- API {#api}

  To manage a bucket policy, use the [update](../../api-ref/Bucket/update.md) REST API method for the [Bucket](../../api-ref/Bucket/index.md) resource, the [BucketService/Update](../../api-ref/grpc/Bucket/update.md) gRPC API call, or the [PutBucketPolicy](../../s3/api-ref/policy/put.md) S3 API method. If the bucket already had a bucket policy configured, it will be completely overwritten once you apply the new policy.

{% endlist %}

{% note info %}

If a bucket policy with no rules is applied to the bucket, access is denied to all users. To disable request verification for a bucket policy, [delete](policy.md#delete-policy) it.

{% endnote %}

### Deleting a rule {#delete-rule}

To delete a rule from an access policy:

{% list tabs group=instructions %}

- Management console {#console}

  1. In the [management console](https://console.yandex.cloud), select a folder.
  1. Navigate to **Object Storage**.
  1. Select the bucket to configure an access policy in.
  1. In the left-hand panel, select ![image](../../../_assets/console-icons/persons-lock.svg) **Security** and go to the **Access policy** tab.
  1. Click **Configure access**.
  1. Next to the rule, click ![options](../../../_assets/console-icons/ellipsis.svg) and select **Delete**.

  {% note tip %}
  
  Leave at least one rule in the access policy. If a bucket is subject to a policy with no rules in it, by default all actions with the bucket will be denied to all users.

  To disable access policy checks, [delete the policy](#delete-policy).
  
  {% endnote %}

{% endlist %}

## Viewing a policy {#view-policy}

The minimum role required to view a bucket policy is `storage.configViewer`. For more information, see the [role description](../../security/index.md#storage-config-viewer).

To view the bucket policy applied to a bucket:

{% list tabs group=instructions %}

- Management console {#console}

  1. In the [management console](https://console.yandex.cloud), select a folder.
  1. Navigate to **Object Storage**.
  1. Select the bucket from the list.
  1. In the left-hand menu, select **Security** and go to the **Access policy** tab.

- AWS CLI {#aws-cli}

  Run this command:

  ```bash
  aws --endpoint https://storage.yandexcloud.net s3api get-bucket-policy \
    --bucket <bucket_name> \
    --output text
  ```

  Result:

  ```json
  {
    "Policy": "{\"Version\":\"2012-10-17\",\"Statement\":{\"Effect\":\"Allow\",\"Principal\":\"*\",\"Action\":\"s3:GetObject\",\"Resource\":\"arn:aws:s3:::<bucket_name>/*\",\"Condition\":{\"Bool\":{\"aws:SecureTransport\":\"true\"}}}}"
  }
  ```

  For more information about parameters, see the [data schema](../../s3/api-ref/policy/scheme.md) description.

- API {#api}

  Use the [GetBucketPolicy](../../s3/api-ref/policy/get.md) S3 API method.

{% endlist %}

## Deleting a policy {#delete-policy}

The minimum role required to delete a bucket policy is `storage.configurer`. For more information, see the [role description](../../security/index.md#storage-configurer).

To delete a bucket policy:

{% list tabs group=instructions %}

- Management console {#console}

  1. In the [management console](https://console.yandex.cloud), select a folder.
  1. Navigate to **Object Storage**.
  1. Select the bucket from the list.
  1. In the left-hand menu, select **Security** and go to the **Access policy** tab.
  1. Click ![options](../../../_assets/console-icons/ellipsis.svg) and select **Delete access policy**.
  1. Click **Delete** and confirm deletion.

- AWS CLI {#aws-cli}

  Run this command:

  ```bash
  aws --endpoint https://storage.yandexcloud.net s3api delete-bucket-policy \
    --bucket <bucket_name>
  ```

- Terraform {#tf}

  If you do not have Terraform yet, [install it and configure the Yandex Cloud provider](../../../tutorials/infrastructure-management/terraform-quickstart.md#install-terraform).
  
  
  To manage infrastructure using Terraform under a service account or user accounts (a Yandex account, a federated account, or a local user), [authenticate](../../../terraform/authentication.md) using the appropriate method.

  By default, Terraform uses an IAM token for authentication in Object Storage. In addition to an IAM token, you can use a service account and static access keys for authentication in Object Storage. For more information about Terraform authentication in Object Storage, see the [relevant provider documentation](../../../terraform/resources/storage_bucket.md).


  You can use the `yandex_storage_bucket_policy` and `yandex_storage_bucket` resources to specify the policy (this method is deprecated).

  1. Open the Terraform configuration file describing the bucket policy.

      * If you applied a bucket policy using the `yandex_storage_bucket` resource:

        {% cut "yandex_storage_bucket" %}
        
        1. Find the parameters of the previously created bucket policy to delete in the configuration file:
      
            ```hcl
            resource "yandex_storage_bucket" "b" {
              bucket = "my-policy-bucket"
              policy = <<POLICY
            {
              "Version": "2012-10-17",
              "Statement": [
                {
                  "Effect": "Allow",
                  "Principal": "*",
                  "Action": "s3:*",
                  "Resource": [
                    "arn:aws:s3:::my-policy-bucket/*",
                    "arn:aws:s3:::my-policy-bucket"
                  ]
                },
                {
                  "Effect": "Deny",
                  "Principal": "*",
                  "Action": "s3:PutObject",
                  "Resource": [
                    "arn:aws:s3:::my-policy-bucket/*",
                    "arn:aws:s3:::my-policy-bucket"
                  ]
                }
              ]
            }
            POLICY
            }
            ```

        1. Delete the `policy` field describing the bucket policy settings from the configuration file.

        {% endcut %}

      * If you applied a bucket policy using the `yandex_storage_bucket_policy` resource:

        {% cut "yandex_storage_bucket_policy" %}
        
        1. Find the parameters of the previously created bucket policy to delete in the configuration file:
      
            ```hcl
            resource "yandex_storage_bucket_policy" "bpolicy" {
              bucket = "my-policy-bucket"
              policy = <<POLICY
            {
              "Version": "2012-10-17",
              "Statement": [
              {
                "Effect": "Allow",
                "Principal": "*",
                "Action": "s3:*",
                "Resource": [
                  "arn:aws:s3:::my-policy-bucket/*",
                  "arn:aws:s3:::my-policy-bucket"
                ]
              },
              {
                "Effect": "Deny",
                "Principal": "*",
                "Action": "s3:PutObject",
                "Resource": [
                  "arn:aws:s3:::my-policy-bucket/*",
                  "arn:aws:s3:::my-policy-bucket"
                ]
              }
              ]
            }
            POLICY
            }
            ```

        1. Delete the `yandex_storage_bucket_policy` section describing the bucket policy settings from the configuration file.

        {% endcut %}

  1. Apply the changes:

     1. In the terminal, navigate to the configuration file directory.
     1. Make sure the configuration is correct using this command:
     
        ```bash
        terraform validate
        ```
     
        If the configuration is valid, you will get this message:
     
        ```bash
        Success! The configuration is valid.
        ```
     
     1. Run this command:
     
        ```bash
        terraform plan
        ```
     
        You will see a list of resources and their properties. No changes will be made at this step. Terraform will show any errors in the configuration.
     1. Apply the configuration changes:
     
        ```bash
        terraform apply
        ```
     
     1. Type `yes` and press **Enter** to confirm the changes.

     This will delete the bucket policy from the specified folder. You can check the bucket policy deletion using the [management console](https://console.yandex.cloud).

- API {#api}

  Use the [DeleteBucketPolicy](../../s3/api-ref/policy/delete.md) S3 API method.

{% endlist %}

## See also {#see-also}

* [Configuration examples](../../concepts/policy.md#config-examples)