- Anonymous GET access
- Anonymous GET access - match HTTP referrer
- Full access for specific IAM user/role
- GET/PUT/DELETE access to specific path within a bucket
- Restricted LIST & PUT/DELETE access to specific path within a bucket
- Full access (and S3 console) for specific IAM users
- Reference
Type: bucket
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"s3:GetObject"
],
"Effect": "Allow",
"Principal": {
"AWS": [
"*"
]
},
"Resource": [
"arn:aws:s3:::BUCKET_NAME/*"
]
}
]
}Type: bucket
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"s3:GetObject"
],
"Condition": {
"StringLike": {
"aws:Referer": [
"http://domain.com/*",
"http://www.domain.com/*"
]
}
},
"Effect": "Allow",
"Principal": {
"AWS": [
"*"
]
},
"Resource": [
"arn:aws:s3:::BUCKET_NAME/*"
]
}
]
}Type: bucket
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"s3:*"
],
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::ACCOUNT_ID:user/USERNAME_A",
"arn:aws:iam::ACCOUNT_ID:user/USERNAME_B",
"arn:aws:iam::ACCOUNT_ID:user/USERNAME_C",
"arn:aws:iam::ACCOUNT_ID:role/ROLE_A",
"arn:aws:iam::ACCOUNT_ID:role/ROLE_B",
"arn:aws:iam::ACCOUNT_ID:role/ROLE_C"
]
},
"Resource": [
"arn:aws:s3:::BUCKET_NAME",
"arn:aws:s3:::BUCKET_NAME/*"
]
}
]
}Type: user/group/role
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"s3:ListBucket"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::BUCKET_NAME"
]
},
{
"Action": [
"s3:DeleteObject",
"s3:GetObject",
"s3:PutObject"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::BUCKET_NAME/BUCKET_PATH/*"
]
}
]
}Note: The s3:ListBucket action against the bucket as a whole allows for the listing of bucket objects.
Type: user/group/role
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"s3:ListBucket"
],
"Condition": {
"StringEquals": {
"s3:delimiter": ["/"],
"s3:prefix": ["","BUCKET_PATH/"]
}
},
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::BUCKET_NAME"
]
},
{
"Action": [
"s3:ListBucket"
],
"Condition": {
"StringLike": {
"s3:prefix": ["BUCKET_PATH/BUCKET_SUB_PATH/*"]
}
},
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::BUCKET_NAME"
]
},
{
"Action": [
"s3:DeleteObject",
"s3:PutObject"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::BUCKET_NAME/BUCKET_PATH/BUCKET_SUB_PATH/*"
]
}
]
}Note: This policy effectively provides protected user folders within an S3 bucket:
- The first
s3:ListBucketaction allows listing only of objects at the bucket root and underBUCKET_PATH/. - The second
s3:ListBucketaction allows listing of objects from the path ofBUCKET_PATH/BUCKET_SUB_PATH/and below. - Technique is covered here under the heading Block 2: Allow listing objects in root and home folders.
Type: user/group/role
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"s3:ListAllMyBuckets"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::*"
]
},
{
"Action": [
"s3:*"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::BUCKET_NAME/*"
]
}
]
}- Writing IAM Policies: How to Grant Access to an Amazon S3 Bucket: http://blogs.aws.amazon.com/security/post/Tx3VRSWZ6B3SHAV/Writing-IAM-Policies-How-to-grant-access-to-an-Amazon-S3-bucket
- Writing IAM Policies: Grant Access to User-Specific Folders in an Amazon S3 Bucket: http://blogs.aws.amazon.com/security/post/Tx1P2T3LFXXCNB5/Writing-IAM-policies-Grant-access-to-user-specific-folders-in-an-Amazon-S3-bucke
- Summary of
Actiontypes and their use:- http://docs.aws.amazon.com/AmazonS3/latest/dev/using-with-s3-actions.html
- Grouped by bucket vs. object action types, which is very handy.
- http://docs.aws.amazon.com/AmazonS3/latest/dev/amazon-s3-policy-keys.html
- http://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_examples.html