- Anonymous GET access
- Anonymous GET access - match HTTP referrer
- Full access for specific IAM user/role
- Put/delete access to specific path within a bucket
- List/put/delete access to specific path within a bucket
- Full access (and S3 console) for specific IAM users
Type: bucket
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"s3:GetObject"
],
"Effect": "Allow",
"Principal": {
"AWS": [
"*"
]
},
"Resource": [
"arn:aws:s3:::BUCKET_NAME/*"
]
}
]
}
Type: bucket
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"s3:GetObject"
],
"Condition": {
"StringLike": {
"aws:Referer": [
"http://domain.com/*",
"http://www.domain.com/*"
]
}
},
"Effect": "Allow",
"Principal": {
"AWS": [
"*"
]
},
"Resource": [
"arn:aws:s3:::BUCKET_NAME/*"
]
}
]
}
Type: bucket
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"s3:*"
],
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::ACCOUNT_ID:user/USERNAME_A",
"arn:aws:iam::ACCOUNT_ID:user/USERNAME_B",
"arn:aws:iam::ACCOUNT_ID:user/USERNAME_C",
"arn:aws:iam::ACCOUNT_ID:role/ROLE_A",
"arn:aws:iam::ACCOUNT_ID:role/ROLE_B",
"arn:aws:iam::ACCOUNT_ID:role/ROLE_C"
]
},
"Resource": [
"arn:aws:s3:::BUCKET_NAME",
"arn:aws:s3:::BUCKET_NAME/*"
]
}
]
}
Type: user/group
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"s3:ListBucket"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::BUCKET_NAME"
]
},
{
"Action": [
"s3:DeleteObject",
"s3:PutObject"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::BUCKET_NAME/BUCKET_PATH/*"
]
}
]
}
Note: The s3:ListBucket
action against the bucket as a whole allows for the listing of bucket objects.
Type: user/group
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"s3:ListBucket"
],
"Condition": {
"StringEquals": {
"s3:delimiter": ["/"],
"s3:prefix": ["","BUCKET_PATH/"]
}
},
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::BUCKET_NAME"
]
},
{
"Action": [
"s3:ListBucket"
],
"Condition": {
"StringLike": {
"s3:prefix": ["BUCKET_PATH/BUCKET_SUB_PATH/*"]
}
},
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::BUCKET_NAME"
]
},
{
"Action": [
"s3:DeleteObject",
"s3:PutObject"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::BUCKET_NAME/BUCKET_PATH/BUCKET_SUB_PATH/*"
]
}
]
}
Type: user/group
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"s3:ListAllMyBuckets"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::*"
]
},
{
"Action": [
"s3:*"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::BUCKET_NAME/*"
]
}
]
}
- http://blogs.aws.amazon.com/security/post/Tx3VRSWZ6B3SHAV/Writing-IAM-Policies-How-to-grant-access-to-an-Amazon-S3-bucket
- http://blogs.aws.amazon.com/security/post/Tx1P2T3LFXXCNB5/Writing-IAM-policies-Grant-access-to-user-specific-folders-in-an-Amazon-S3-bucke
- http://docs.aws.amazon.com/AmazonS3/latest/dev/using-with-s3-actions.html
- http://docs.aws.amazon.com/AmazonS3/latest/dev/amazon-s3-policy-keys.html