# AWS S3 bucket policy recipes - [Anonymous GET access](#anonymous-get-access) - [Anonymous GET access - match HTTP referrer](#anonymous-get-access---match-http-referrer) - [Full access for specific IAM user/role](#full-access-for-specific-iam-userrole) - [GET/PUT/DELETE access to specific path within a bucket](#getputdelete-access-to-specific-path-within-a-bucket) - [LIST/PUT/DELETE access to specific path within a bucket](#listputdelete-access-to-specific-path-within-a-bucket) - [Full access (and S3 console) for specific IAM users](#full-access-and-s3-console-for-specific-iam-users) ## Anonymous GET access **Type:** bucket ```json { "Version": "2012-10-17", "Statement": [ { "Action": [ "s3:GetObject" ], "Effect": "Allow", "Principal": { "AWS": [ "*" ] }, "Resource": [ "arn:aws:s3:::BUCKET_NAME/*" ] } ] } ``` ## Anonymous GET access - match HTTP referrer **Type:** bucket ```json { "Version": "2012-10-17", "Statement": [ { "Action": [ "s3:GetObject" ], "Condition": { "StringLike": { "aws:Referer": [ "http://domain.com/*", "http://www.domain.com/*" ] } }, "Effect": "Allow", "Principal": { "AWS": [ "*" ] }, "Resource": [ "arn:aws:s3:::BUCKET_NAME/*" ] } ] } ``` ## Full access for specific IAM user/role **Type:** bucket ```json { "Version": "2012-10-17", "Statement": [ { "Action": [ "s3:*" ], "Effect": "Allow", "Principal": { "AWS": [ "arn:aws:iam::ACCOUNT_ID:user/USERNAME_A", "arn:aws:iam::ACCOUNT_ID:user/USERNAME_B", "arn:aws:iam::ACCOUNT_ID:user/USERNAME_C", "arn:aws:iam::ACCOUNT_ID:role/ROLE_A", "arn:aws:iam::ACCOUNT_ID:role/ROLE_B", "arn:aws:iam::ACCOUNT_ID:role/ROLE_C" ] }, "Resource": [ "arn:aws:s3:::BUCKET_NAME", "arn:aws:s3:::BUCKET_NAME/*" ] } ] } ``` ## GET/PUT/DELETE access to specific path within a bucket **Type:** user/group ```json { "Version": "2012-10-17", "Statement": [ { "Action": [ "s3:ListBucket" ], "Effect": "Allow", "Resource": [ "arn:aws:s3:::BUCKET_NAME" ] }, { "Action": [ "s3:DeleteObject", "s3:GetObject", "s3:PutObject" ], "Effect": "Allow", "Resource": [ "arn:aws:s3:::BUCKET_NAME/BUCKET_PATH/*" ] } ] } ``` **Note:** The [`s3:ListBucket`](http://docs.aws.amazon.com/AmazonS3/latest/dev/using-with-s3-actions.html#using-with-s3-actions-related-to-buckets) action against the bucket as a whole allows for the *listing* of bucket objects. ## LIST/PUT/DELETE access to specific path within a bucket **Type:** user/group ```json { "Version": "2012-10-17", "Statement": [ { "Action": [ "s3:ListBucket" ], "Condition": { "StringEquals": { "s3:delimiter": ["/"], "s3:prefix": ["","BUCKET_PATH/"] } }, "Effect": "Allow", "Resource": [ "arn:aws:s3:::BUCKET_NAME" ] }, { "Action": [ "s3:ListBucket" ], "Condition": { "StringLike": { "s3:prefix": ["BUCKET_PATH/BUCKET_SUB_PATH/*"] } }, "Effect": "Allow", "Resource": [ "arn:aws:s3:::BUCKET_NAME" ] }, { "Action": [ "s3:DeleteObject", "s3:PutObject" ], "Effect": "Allow", "Resource": [ "arn:aws:s3:::BUCKET_NAME/BUCKET_PATH/BUCKET_SUB_PATH/*" ] } ] } ``` **Note:** This policy effectively provides protected user folders within an S3 bucket: - The first `s3:ListBucket` action allows *listing only* of objects at the bucket root and under `BUCKET_PATH/`. - The second `s3:ListBucket` action allows listing of objects from the path of `BUCKET_PATH/BUCKET_SUB_PATH/` and below. - Technique is covered [here](http://blogs.aws.amazon.com/security/post/Tx1P2T3LFXXCNB5/Writing-IAM-policies-Grant-access-to-user-specific-folders-in-an-Amazon-S3-bucke) under the heading _Block 2: Allow listing objects in root and home folders_. ## Full access (and S3 console) for specific IAM users **Type:** user/group ```json { "Version": "2012-10-17", "Statement": [ { "Action": [ "s3:ListAllMyBuckets" ], "Effect": "Allow", "Resource": [ "arn:aws:s3:::*" ] }, { "Action": [ "s3:*" ], "Effect": "Allow", "Resource": [ "arn:aws:s3:::BUCKET_NAME/*" ] } ] } ``` ## Reference - Writing IAM Policies: How to Grant Access to an Amazon S3 Bucket: http://blogs.aws.amazon.com/security/post/Tx3VRSWZ6B3SHAV/Writing-IAM-Policies-How-to-grant-access-to-an-Amazon-S3-bucket - Writing IAM Policies: Grant Access to User-Specific Folders in an Amazon S3 Bucket: http://blogs.aws.amazon.com/security/post/Tx1P2T3LFXXCNB5/Writing-IAM-policies-Grant-access-to-user-specific-folders-in-an-Amazon-S3-bucke - Summary of S3 `Action` types and their use: http://docs.aws.amazon.com/AmazonS3/latest/dev/using-with-s3-actions.html - http://docs.aws.amazon.com/AmazonS3/latest/dev/amazon-s3-policy-keys.html - http://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_examples.html