Skip to main content
The following examples show common bucket access policy patterns. For details on how to apply a policy to a bucket, see Manage bucket policies.

Allow organization-wide read access

The following policy allows organization-wide read access for the specified bucket. Fill in the following parameters in the policy:
  • [ORG-ID] with your organization’s ID.
  • [BUCKET-NAME] with the name of the bucket you want to grant read access to.
Allow organization-wide read access for the specified bucket
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "AllowGetObject",
      "Principal": {
          "AWS": "*"
      },
      "Effect": "Allow",
      "Action": [
          "s3:GetObject",
          "s3:ListBucket"
          ],
      "Resource": [
        "arn:aws:s3:::[BUCKET-NAME]",
        "arn:aws:s3:::[BUCKET-NAME]/*"
        ],
      "Condition": {
          "StringEquals": {
              "cw:PrincipalOrgID": ["[ORG-ID]"]
          }
      }
    }
  ]
}

Allow access from another organization

You can also use bucket access policies to grant users from other organizations access to your bucket:
Allow users from other organizations to access your bucket
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "AllowGetObject",
      "Principal": {
          "AWS": "*"
      },
      "Effect": "Allow",
      "Action": [
          "s3:GetObject",
          "s3:ListBucket"
          ],
      "Resource": [
        "arn:aws:s3:::[BUCKET-NAME]",
        "arn:aws:s3:::[BUCKET-NAME]/*"
        ],
      "Condition": {
          "StringEquals": {
              "cw:PrincipalOrgID": ["[ORG-ID]", "[OTHER-ORG-ID]"]
          }
      }
    }
  ]
}

Prevent a specific user from deleting objects

This policy prevents a specific user from deleting objects. Replace [ORG-ID] with your organization’s ID and [USER-ID] with the user’s ID.
Prevent a specific user from deleting objects
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "statement",
      "Effect": "Deny",
      "Principal": {
        "CW": "arn:aws:iam::[ORG-ID]:coreweave/[USER-ID]"
      },
      "Action": [
        "s3:DeleteObject",
        "s3:DeleteObjectVersion",
        "s3:PutLifecycleConfiguration"
      ],
      "Resource": [
        "arn:aws:s3:::[BUCKET-NAME]",
        "arn:aws:s3:::[BUCKET-NAME]/*"
      ]
    }
  ]
}

Additional resources

Last modified on May 29, 2026