- Anonymous GET access
- GET/PUT/DELETE access to specific path within a bucket
- LIST/PUT/DELETE access to specific path within a bucket
Type: bucket
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"s3:GetObject"
],
"Effect": "Allow",
"Principal": {
"AWS": [
"*"
]
},
"Resource": [
"arn:aws:s3:::BUCKET_NAME/*"
]
}
]
}
Type: user/group
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"s3:ListBucket"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::BUCKET_NAME"
]
},
{
"Action": [
"s3:DeleteObject",
"s3:GetObject",
"s3:PutObject"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::BUCKET_NAME/BUCKET_PATH/*"
]
}
]
}
Note: The s3:ListBucket
action against the bucket as a whole allows for the listing of bucket objects.
Type: user/group
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"s3:ListBucket"
],
"Condition": {
"StringEquals": {
"s3:delimiter": ["/"],
"s3:prefix": ["","BUCKET_PATH/"]
}
},
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::BUCKET_NAME"
]
},
{
"Action": [
"s3:ListBucket"
],
"Condition": {
"StringLike": {
"s3:prefix": ["BUCKET_PATH/BUCKET_SUB_PATH/*"]
}
},
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::BUCKET_NAME"
]
},
{
"Action": [
"s3:DeleteObject",
"s3:PutObject"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::BUCKET_NAME/BUCKET_PATH/BUCKET_SUB_PATH/*"
]
}
]
}
Note: This policy effectively provides protected user folders within an S3 bucket:
- The first
s3:ListBucket
action allows listing only of object paths at the root and underBUCKET_PATH/
. - The second
s3:ListBucket
allows for listing of all objects from the path ofBUCKET_PATH/BUCKET_SUB_PATH/
and below.