AWS policy examples - allanrogerr/public GitHub Wiki
Note: PutObject on a prefix does not use a trailing /*
User can list memes/outgoing but it cannot list memes/incoming
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowBucketAccess",
"Effect": "Allow",
"Action": [
"s3:GetBucketLocation"
],
"Resource": [
"arn:aws:s3:::memes"
]
},
{
"Sid": "AllowUploadToIncoming",
"Effect": "Allow",
"Action": [
"s3:PutObject"
],
"Resource": [
"arn:aws:s3:::memes/incoming"
]
},
{
"Sid": "AllowListingOutgoing",
"Effect": "Allow",
"Action": [
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::memes"
],
"Condition": {
"StringLike": {
"s3:prefix": [
"outgoing",
"outgoing/*"
]
}
}
},
{
"Sid": "AllowDownloadFromOutgoing",
"Effect": "Allow",
"Action": [
"s3:GetObject"
],
"Resource": [
"arn:aws:s3:::memes/outgoing/*"
]
},
{
"Sid": "DenyUploadToOutgoing",
"Effect": "Deny",
"Action": [
"s3:PutObject"
],
"Resource": [
"arn:aws:s3:::memes/outgoing"
]
},
{
"Sid": "DenyListingIncoming",
"Effect": "Deny",
"Action": [
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::memes"
],
"Condition": {
"StringLike": {
"s3:prefix": [
"incoming",
"incoming/*"
]
}
}
}
]
}
User can get/put on a given prefix
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowBucketAccess",
"Effect": "Allow",
"Action": [
"s3:GetBucketLocation"
],
"Resource": [
"arn:aws:s3:::test-bucket"
]
},
{
"Sid": "AllowUploadToPrefix",
"Effect": "Allow",
"Action": [
"s3:PutObject"
],
"Resource": [
"arn:aws:s3:::test-bucket/memes"
]
},
{
"Sid": "AllowListingPrefix",
"Effect": "Allow",
"Action": [
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::test-bucket"
],
"Condition": {
"StringLike": {
"s3:prefix": [
"memes",
"memes/*"
]
}
}
}
]
}
Read only admin policy
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"admin:ListBatchJobs",
"admin:ListServiceAccounts",
"admin:GetGroup",
"admin:GetPolicy",
"admin:GetUser",
"admin:ListUserPolicies",
"admin:ServerInfo",
"admin:ServerTrace",
"admin:StorageInfo",
"admin:ConsoleLog",
"admin:GetBucketQuota",
"admin:ListGroups",
"admin:TopLocksInfo",
"admin:BandwidthMonitor",
"admin:DataUsageInfo",
"admin:KMSKeyStatus",
"admin:OBDInfo",
"admin:GetBucketTarget",
"admin:ListTier",
"admin:ListUsers"
]
},
{
"Effect": "Allow",
"Action": [
"s3:Get*",
"s3:List*"
],
"Resource": [
"arn:aws:s3:::*"
]
}
]
}
Whitelist upload by filetype
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:ListBucket",
"s3:DeleteObject",
"s3:GetObject",
"s3:GetObjectVersion",
"s3:GetObjectVersionTagging",
"s3:ListAllMyBuckets"
],
"Resource": [
"arn:aws:s3:::mybucket/*"
]
},
{
"Effect": "Allow",
"Action": [
"s3:PutObject"
],
"Resource": [
"arn:aws:s3:::mybucket/*.jpg",
"arn:aws:s3:::mybucket/anything/*",
"arn:aws:s3:::mybucket/jpg/*.jpg",
"arn:aws:s3:::mybucket/l1/l2/*.txt",
"arn:aws:s3:::mybucket/png/*.png",
"arn:aws:s3:::mybucket/txt/*.doc",
"arn:aws:s3:::mybucket/txt/*.txt"
]
}
]
}