{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Allow bucket admins",
            "Effect": "Allow",
            "Principal": {
                "AWS": [
                    "arn:aws:iam::123456789012:user/bucket-admin1",
                    "arn:aws:iam::123456789012:user/bucket-admin2"
                ]
            },
            "Action": "s3:*",
            "Resource": [
                "arn:aws:s3:::mybucket",
                "arn:aws:s3:::mybucket/*"
            ]
        },
        {
            "Sid": "Allow readonly user from IP address",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::123456789012:user/myreadonlyuser"
            },
            "Action": [
                "s3:Get*",
                "s3:ListBucket"
            ],
            "Resource": [
                "arn:aws:s3:::mybucket/*"
            ],
            "Condition": {
                "IpAddress": {
                    "aws:SourceIp": "0.0.0.0/0"
                }
            }
        },
        {
            "Sid": "Allow users to upload",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::123456789012:user/myuploader"
            },
            "Action": "s3:PutObject",
            "Resource": [
                "arn:aws:s3:::mybucket",
                "arn:aws:s3:::mybucket/*"
            ]
        },
        {
            "Sid": "Deny non-whitelisted users",
            "Effect": "Deny",
            "NotPrincipal": {
                "AWS": [
                    "arn:aws:iam::123456789012:user/bucket-admin1",
                    "arn:aws:iam::123456789012:user/bucket-admin2"
                    "arn:aws:iam::123456789012:user/myreadonlyuser"
                ]
            },
            "Action": "s3:*",
            "Resource": [
                "arn:aws:s3:::mybucket",
                "arn:aws:s3:::mybucket/*"
            ]
        }
    ]
}