Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
AWS S3 bucket policy recipes.

AWS S3 bucket policy recipes

Anonymous GET access

Type: bucket

{
	"Version": "2012-10-17",
	"Statement": [
		{
			"Action": [
				"s3:GetObject"
			],
			"Effect": "Allow",
			"Principal": {
				"AWS": [
					"*"
				]
			},
			"Resource": [
				"arn:aws:s3:::BUCKET_NAME/*"
			]
		}
	]
}

GET/PUT/DELETE access to specific path within a bucket

Type: user/group

{
	"Version": "2012-10-17",
	"Statement": [
		{
			"Action": [
				"s3:ListBucket"
			],
			"Effect": "Allow",
			"Resource": [
				"arn:aws:s3:::BUCKET_NAME"
			]
		},
		{
			"Action": [
				"s3:DeleteObject",
				"s3:GetObject",
				"s3:PutObject"
			],
			"Effect": "Allow",
			"Resource": [
				"arn:aws:s3:::BUCKET_NAME/BUCKET_PATH/*"
			]
		}
	]
}

Note: The s3:ListBucket action against the bucket as a whole allows for the listing of bucket objects.

LIST/PUT/DELETE access to specific path within a bucket

Type: user/group

{
	"Version": "2012-10-17",
	"Statement": [
		{
			"Action": [
				"s3:ListBucket"
			],
			"Condition": {
				"StringEquals": {
					"s3:delimiter": ["/"],
					"s3:prefix": ["","BUCKET_PATH/"]
				}
			},
			"Effect": "Allow",
			"Resource": [
				"arn:aws:s3:::BUCKET_NAME"
			]
		},
		{
			"Action": [
				"s3:ListBucket"
			],
			"Condition": {
				"StringLike": {
					"s3:prefix": ["BUCKET_PATH/BUCKET_SUB_PATH/*"]
				}
			},
			"Effect": "Allow",
			"Resource": [
				"arn:aws:s3:::BUCKET_NAME"
			]
		},
		{
			"Action": [
				"s3:DeleteObject",
				"s3:PutObject"
			],
			"Effect": "Allow",
			"Resource": [
				"arn:aws:s3:::BUCKET_NAME/BUCKET_PATH/BUCKET_SUB_PATH/*"
			]
		}
	]
}

Note: This policy effectively provides protected user folders within an S3 bucket:

  • The first s3:ListBucket action allows listing only of object paths at the root and under BUCKET_PATH/.
  • The second s3:ListBucket allows for listing of all objects from the path of BUCKET_PATH/BUCKET_SUB_PATH/ and below.

Reference

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.