S3 bucket policy template

s3_bucket_policy_template.json

{
   "Version":"2012-10-17",
   "Statement":[
      {
         "Sid":"NameForBucketPolicy",
         "Effect":"Allow",
         "Principal":{
            "AWS":[
               "arn:aws:iam::111111111111:user/iam_user",
               "arn:aws:iam::222222222222:user/iam_user",
               "arn:aws:iam::222222222222:role/iam_role_list",
               "arn:aws:iam::222222222222:role/iam_role_list_get",
               "arn:aws:iam::222222222222:role/iam_role_list_get_put",
               "arn:aws:iam::222222222222:role/iam_role_list_get_put_delete"
            ]
         },
         "Action":"s3:*",
         "Resource":[
            "arn:aws:s3:::bucket-name",
            "arn:aws:s3:::bucket-name/*"
         ]
      }
   ]
}

THIS IS THE TRICKY PART. Even though the Bucket Policy dictates that the Role "arn:aws:iam::222222222222:role/iam_role_list" has been allowed to perform All actions on the S3 resource "bucket-name" as well as all enclosed objects, the Role still needs sufficient permissions to access S3 and perform certain actions.

Think of it like this:

"Resource": "arn:aws:s3:::Wal-Mart" will "Effect": "Allow", you to "Action": "s3:Buy*" all of their products, "Action": "s3:ReturnItems", or "Action": "s3:BrowseStore".
But you have to have your Mom's permission to go, and she will only let you "Action": "s3:BuyToiletries", "Action": "s3:BuyProduce", or "Action": "s3:BrowseSchoolSupplies"

Get it?

The Mom in this scenario would be the Policy attached to the IAM User, Group, or Role. Both the IAM policy and the S3 Bucket policy must have aligned permissions. Just because an IAM policy grants "Action": ["s3:"],"Resource": ["arn:aws:s3:::"], which allows ANY action on ANY bucket, doesn't mean that the bucket will allow it.