Skip to content

Instantly share code, notes, and snippets.

@iandees

iandees/iam_policy.json

Created April 21, 2018 02:11
Show Gist options
  • Save iandees/26c61b7f1e9a51dae91be41d53fc06d3 to your computer and use it in GitHub Desktop.
Save iandees/26c61b7f1e9a51dae91be41d53fc06d3 to your computer and use it in GitHub Desktop.
Download ZIP
Minimum S3 policy required for awscli s3 sync to work.
Raw
iam_policy.json
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": "s3:ListObjects",
"Resource": "*"
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:PutObjectAcl"
],
"Resource": "arn:aws:s3:::bucket-name/*"
},
{
"Sid": "VisualEditor2",
"Effect": "Allow",
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::bucket-name"
}
]
}
@Firefishy
Copy link

Firefishy commented Sep 20, 2023
edited
Loading

Here is what I use in 2023. The statements are generated with help from policy_sentry, but equally you chould use AWS's IAM Access Analyzer.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "S3ReadBucket",
            "Effect": "Allow",
            "Action": [
                "s3:GetBucketLocation"
            ],
            "Resource": [
                "arn:aws:s3:::bucket-name"
            ]
        },
        {
            "Sid": "S3ReadObject",
            "Effect": "Allow",
            "Action": [
                "s3:GetObject"
            ],
            "Resource": [
                "arn:aws:s3:::bucket-name/*"
            ]
        },
        {
            "Sid": "S3WriteObject",
            "Effect": "Allow",
            "Action": [
                "s3:AbortMultipartUpload",
                "s3:DeleteObject",
                "s3:PutObject"
            ],
            "Resource": [
                "arn:aws:s3:::bucket-name/*"
            ]
        },
        {
            "Sid": "S3ListBucket",
            "Effect": "Allow",
            "Action": [
                "s3:ListBucket",
                "s3:ListBucketMultipartUploads"
            ],
            "Resource": [
                "arn:aws:s3:::bucket-name"
            ]
        },
        {
            "Sid": "S3ListObject",
            "Effect": "Allow",
            "Action": [
                "s3:ListMultipartUploadParts"
            ],
            "Resource": [
                "arn:aws:s3:::bucket-name/*"
            ]
        }
    ]
}

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment