Skip to content

Instantly share code, notes, and snippets.

@sanggiChoi

sanggiChoi/README.md

Forked from magnetikonline/README.md
Created March 23, 2016 08:51
Show Gist options
  • Save sanggiChoi/60f4c4a014ba2c52296a to your computer and use it in GitHub Desktop.
Save sanggiChoi/60f4c4a014ba2c52296a to your computer and use it in GitHub Desktop.
Download ZIP
AWS S3 bucket policy recipes.
Raw
README.md

AWS S3 bucket policy recipes

Anonymous GET access

Type: bucket

{
	"Version": "2012-10-17",
	"Statement": [
		{
			"Action": [
				"s3:GetObject"
			],
			"Effect": "Allow",
			"Principal": {
				"AWS": [
					"*"
				]
			},
			"Resource": [
				"arn:aws:s3:::BUCKET_NAME/*"
			]
		}
	]
}

Anonymous GET access - match HTTP referrer

Type: bucket

{
	"Version": "2012-10-17",
	"Statement": [
		{
			"Action": [
				"s3:GetObject"
			],
			"Condition": {
				"StringLike": {
					"aws:Referer": [
						"http://domain.com/*",
						"http://www.domain.com/*"
					]
				}
			},
			"Effect": "Allow",
			"Principal": {
				"AWS": [
					"*"
				]
			},
			"Resource": [
				"arn:aws:s3:::BUCKET_NAME/*"
			]
		}
	]
}

Full access for specific IAM user/role

Type: bucket

{
	"Version": "2012-10-17",
	"Statement": [
		{
			"Action": [
				"s3:*"
			],
			"Effect": "Allow",
			"Principal": {
				"AWS": [
					"arn:aws:iam::ACCOUNT_ID:user/USERNAME_A",
					"arn:aws:iam::ACCOUNT_ID:user/USERNAME_B",
					"arn:aws:iam::ACCOUNT_ID:user/USERNAME_C",
					"arn:aws:iam::ACCOUNT_ID:role/ROLE_A",
					"arn:aws:iam::ACCOUNT_ID:role/ROLE_B",
					"arn:aws:iam::ACCOUNT_ID:role/ROLE_C"
				]
			},
			"Resource": [
				"arn:aws:s3:::BUCKET_NAME",
				"arn:aws:s3:::BUCKET_NAME/*"
			]
		}
	]
}

Put/delete access to specific path within a bucket

Type: user/group

{
	"Version": "2012-10-17",
	"Statement": [
		{
			"Action": [
				"s3:ListBucket"
			],
			"Effect": "Allow",
			"Resource": [
				"arn:aws:s3:::BUCKET_NAME"
			]
		},
		{
			"Action": [
				"s3:DeleteObject",
				"s3:PutObject"
			],
			"Effect": "Allow",
			"Resource": [
				"arn:aws:s3:::BUCKET_NAME/BUCKET_PATH/*"
			]
		}
	]
}

Note: The s3:ListBucket action against the bucket as a whole allows for the listing of bucket objects.

List/put/delete access to specific path within a bucket

Type: user/group

{
	"Version": "2012-10-17",
	"Statement": [
		{
			"Action": [
				"s3:ListBucket"
			],
			"Condition": {
				"StringEquals": {
					"s3:delimiter": ["/"],
					"s3:prefix": ["","BUCKET_PATH/"]
				}
			},
			"Effect": "Allow",
			"Resource": [
				"arn:aws:s3:::BUCKET_NAME"
			]
		},
		{
			"Action": [
				"s3:ListBucket"
			],
			"Condition": {
				"StringLike": {
					"s3:prefix": ["BUCKET_PATH/BUCKET_SUB_PATH/*"]
				}
			},
			"Effect": "Allow",
			"Resource": [
				"arn:aws:s3:::BUCKET_NAME"
			]
		},
		{
			"Action": [
				"s3:DeleteObject",
				"s3:PutObject"
			],
			"Effect": "Allow",
			"Resource": [
				"arn:aws:s3:::BUCKET_NAME/BUCKET_PATH/BUCKET_SUB_PATH/*"
			]
		}
	]
}

Note: This policy effectively provides protected user folders within an S3 bucket:

  • The first s3:ListBucket action allows listing only of object paths at the root and under BUCKET_PATH/.
  • The second s3:ListBucket allows for listing of all objects from the path of BUCKET_PATH/BUCKET_SUB_PATH/ and below.

Full access (and S3 console) for specific IAM users

Type: user/group

{
	"Version": "2012-10-17",
	"Statement": [
		{
			"Action": [
				"s3:ListAllMyBuckets"
			],
			"Effect": "Allow",
			"Resource": [
				"arn:aws:s3:::*"
			]
		},
		{
			"Action": [
				"s3:*"
			],
			"Effect": "Allow",
			"Resource": [
				"arn:aws:s3:::BUCKET_NAME/*"
			]
		}
	]
}

Reference

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment