- Anonymous GET access
- Anonymous GET access match HTTP referrer
- Full access for specific IAM user/role
- Full access (and S3 weblogin) for specific IAM users
Type: bucket
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"s3:GetObject"
],
"Effect": "Allow",
"Principal": {
"AWS": [
"*"
]
},
"Resource": [
"arn:aws:s3:::BUCKET_NAME/*"
]
}
]
}Type: bucket
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"s3:GetObject"
],
"Condition": {
"StringLike": {
"aws:Referer": [
"http://domain.com/*",
"http://www.domain.com/*"
]
}
},
"Effect": "Allow",
"Principal": {
"AWS": [
"*"
]
},
"Resource": [
"arn:aws:s3:::BUCKET_NAME/*"
]
}
]
}Type: bucket
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"s3:*"
],
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::ACCOUNT_NUMBER:user/USERNAME_A",
"arn:aws:iam::ACCOUNT_NUMBER:user/USERNAME_B",
"arn:aws:iam::ACCOUNT_NUMBER:user/USERNAME_C",
"arn:aws:iam::ACCOUNT_NUMBER:role/ROLE_A",
"arn:aws:iam::ACCOUNT_NUMBER:role/ROLE_B",
"arn:aws:iam::ACCOUNT_NUMBER:role/ROLE_C"
]
},
"Resource": [
"arn:aws:s3:::BUCKET_NAME",
"arn:aws:s3:::BUCKET_NAME/*"
]
}
]
}Type: group/user
Note: specifying both arn:aws:s3:::BUCKET_NAME and arn:aws:s3:::BUCKET_NAME/* under the "Resource" block allows the IAM user to list objects at the root level of the bucket.
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"s3:ListAllMyBuckets"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::*"
]
},
{
"Action": [
"s3:*"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::BUCKET_NAME",
"arn:aws:s3:::BUCKET_NAME/*"
]
}
]
}