Skip to content

Instantly share code, notes, and snippets.

@anryko
Forked from magnetikonline/README.md
Created April 25, 2018 11:31
Show Gist options
  • Save anryko/5a1411907e276dc797a01c0fd026c22b to your computer and use it in GitHub Desktop.
Save anryko/5a1411907e276dc797a01c0fd026c22b to your computer and use it in GitHub Desktop.
AWS S3 bucket and IAM policy recipes.

AWS S3 bucket and IAM policy recipes

Anonymous GET access

Type: bucket

{
	"Version": "2012-10-17",
	"Statement": [
		{
			"Action": [
				"s3:GetObject"
			],
			"Effect": "Allow",
			"Principal": {
				"AWS": [
					"*"
				]
			},
			"Resource": [
				"arn:aws:s3:::BUCKET_NAME/*"
			]
		}
	]
}

Anonymous GET access - match HTTP referrer

Type: bucket

{
	"Version": "2012-10-17",
	"Statement": [
		{
			"Action": [
				"s3:GetObject"
			],
			"Condition": {
				"StringLike": {
					"aws:Referer": [
						"http://domain.com/*",
						"http://www.domain.com/*"
					]
				}
			},
			"Effect": "Allow",
			"Principal": {
				"AWS": [
					"*"
				]
			},
			"Resource": [
				"arn:aws:s3:::BUCKET_NAME/*"
			]
		}
	]
}

Full access for specific IAM user/role

Type: bucket

{
	"Version": "2012-10-17",
	"Statement": [
		{
			"Action": [
				"s3:*"
			],
			"Effect": "Allow",
			"Principal": {
				"AWS": [
					"arn:aws:iam::ACCOUNT_ID:user/USERNAME_A",
					"arn:aws:iam::ACCOUNT_ID:user/USERNAME_B",
					"arn:aws:iam::ACCOUNT_ID:user/USERNAME_C",
					"arn:aws:iam::ACCOUNT_ID:role/ROLE_A",
					"arn:aws:iam::ACCOUNT_ID:role/ROLE_B",
					"arn:aws:iam::ACCOUNT_ID:role/ROLE_C"
				]
			},
			"Resource": [
				"arn:aws:s3:::BUCKET_NAME",
				"arn:aws:s3:::BUCKET_NAME/*"
			]
		}
	]
}

GET/PUT/DELETE access to specific path within a bucket

Type: user/group/role

{
	"Version": "2012-10-17",
	"Statement": [
		{
			"Action": [
				"s3:ListBucket"
			],
			"Effect": "Allow",
			"Resource": [
				"arn:aws:s3:::BUCKET_NAME"
			]
		},
		{
			"Action": [
				"s3:DeleteObject",
				"s3:GetObject",
				"s3:PutObject"
			],
			"Effect": "Allow",
			"Resource": [
				"arn:aws:s3:::BUCKET_NAME/BUCKET_PATH/*"
			]
		}
	]
}

Note: The s3:ListBucket action against the bucket as a whole allows for the listing of bucket objects.

Restricted LIST & PUT/DELETE access to specific path within a bucket

Type: user/group/role

{
	"Version": "2012-10-17",
	"Statement": [
		{
			"Action": [
				"s3:ListBucket"
			],
			"Condition": {
				"StringEquals": {
					"s3:delimiter": ["/"],
					"s3:prefix": ["","BUCKET_PATH/"]
				}
			},
			"Effect": "Allow",
			"Resource": [
				"arn:aws:s3:::BUCKET_NAME"
			]
		},
		{
			"Action": [
				"s3:ListBucket"
			],
			"Condition": {
				"StringLike": {
					"s3:prefix": ["BUCKET_PATH/BUCKET_SUB_PATH/*"]
				}
			},
			"Effect": "Allow",
			"Resource": [
				"arn:aws:s3:::BUCKET_NAME"
			]
		},
		{
			"Action": [
				"s3:DeleteObject",
				"s3:PutObject"
			],
			"Effect": "Allow",
			"Resource": [
				"arn:aws:s3:::BUCKET_NAME/BUCKET_PATH/BUCKET_SUB_PATH/*"
			]
		}
	]
}

Note: This policy effectively provides protected user folders within an S3 bucket:

  • The first s3:ListBucket action allows listing only of objects at the bucket root and under BUCKET_PATH/.
  • The second s3:ListBucket action allows listing of objects from the path of BUCKET_PATH/BUCKET_SUB_PATH/ and below.
  • Technique is covered here under the heading Block 2: Allow listing objects in root and home folders.

Full access (and S3 console) for specific IAM users

Type: user/group/role

{
	"Version": "2012-10-17",
	"Statement": [
		{
			"Action": [
				"s3:ListAllMyBuckets"
			],
			"Effect": "Allow",
			"Resource": [
				"arn:aws:s3:::*"
			]
		},
		{
			"Action": [
				"s3:*"
			],
			"Effect": "Allow",
			"Resource": [
				"arn:aws:s3:::BUCKET_NAME/*"
			]
		}
	]
}

Reference

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment