Skip to content

Instantly share code, notes, and snippets.

@harshavardhana

harshavardhana/README.md

Forked from magnetikonline/README.md
Last active March 16, 2023 17:16
Show Gist options
  • Star 1 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save harshavardhana/23b19e20409248189eb3dbbc74a1c42c to your computer and use it in GitHub Desktop.
Save harshavardhana/23b19e20409248189eb3dbbc74a1c42c to your computer and use it in GitHub Desktop.
Download ZIP
AWS S3 bucket policy recipes.
Raw
README.md

AWS S3 bucket policy recipes

Anonymous GET access

Type: bucket

{
	"Version": "2012-10-17",
	"Statement": [
		{
			"Action": [
				"s3:GetObject"
			],
			"Effect": "Allow",
			"Principal": {
				"AWS": [
					"*"
				]
			},
			"Resource": [
				"arn:aws:s3:::BUCKET_NAME/*"
			]
		}
	]
}

GET/PUT/DELETE access to specific path within a bucket

Type: user/group

{
	"Version": "2012-10-17",
	"Statement": [
		{
			"Action": [
				"s3:ListBucket"
			],
			"Effect": "Allow",
			"Resource": [
				"arn:aws:s3:::BUCKET_NAME"
			]
		},
		{
			"Action": [
				"s3:DeleteObject",
				"s3:GetObject",
				"s3:PutObject"
			],
			"Effect": "Allow",
			"Resource": [
				"arn:aws:s3:::BUCKET_NAME/BUCKET_PATH/*"
			]
		}
	]
}

Note: The s3:ListBucket action against the bucket as a whole allows for the listing of bucket objects.

LIST/PUT/DELETE access to specific path within a bucket

Type: user/group

{
	"Version": "2012-10-17",
	"Statement": [
		{
			"Action": [
				"s3:ListBucket"
			],
			"Condition": {
				"StringEquals": {
					"s3:delimiter": ["/"],
					"s3:prefix": ["","BUCKET_PATH/"]
				}
			},
			"Effect": "Allow",
			"Resource": [
				"arn:aws:s3:::BUCKET_NAME"
			]
		},
		{
			"Action": [
				"s3:ListBucket"
			],
			"Condition": {
				"StringLike": {
					"s3:prefix": ["BUCKET_PATH/BUCKET_SUB_PATH/*"]
				}
			},
			"Effect": "Allow",
			"Resource": [
				"arn:aws:s3:::BUCKET_NAME"
			]
		},
		{
			"Action": [
				"s3:DeleteObject",
				"s3:PutObject"
			],
			"Effect": "Allow",
			"Resource": [
				"arn:aws:s3:::BUCKET_NAME/BUCKET_PATH/BUCKET_SUB_PATH/*"
			]
		}
	]
}

Note: This policy effectively provides protected user folders within an S3 bucket:

  • The first s3:ListBucket action allows listing only of object paths at the root and under BUCKET_PATH/.
  • The second s3:ListBucket allows for listing of all objects from the path of BUCKET_PATH/BUCKET_SUB_PATH/ and below.

Reference

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment