mohakevin · September 16, 2016 22:33 · Aug 23, 2016 · Jun 29, 2016 · Jun 29, 2016 · Aug 19, 2015
diff --git a/README.md b/README.md
@@ -179,8 +179,9 @@
 ```
 
 **Note:** This policy effectively provides protected user folders within an S3 bucket:
-- The first `s3:ListBucket` action allows *listing only* of object paths at the root and under `BUCKET_PATH/`.
-- The second `s3:ListBucket` allows for listing of all objects from the path of `BUCKET_PATH/BUCKET_SUB_PATH/` and below.
+- The first `s3:ListBucket` action allows *listing only* of objects at the bucket root and under `BUCKET_PATH/`.
+- The second `s3:ListBucket` action allows listing of objects from the path of `BUCKET_PATH/BUCKET_SUB_PATH/` and below.
+- Technique is covered [here](http://blogs.aws.amazon.com/security/post/Tx1P2T3LFXXCNB5/Writing-IAM-policies-Grant-access-to-user-specific-folders-in-an-Amazon-S3-bucke) under the heading _Block 2: Allow listing objects in root and home folders_.
 
 ## Full access (and S3 console) for specific IAM users
 **Type:** user/group
@@ -212,8 +213,8 @@
 ```
 
 ## Reference
-- http://blogs.aws.amazon.com/security/post/Tx3VRSWZ6B3SHAV/Writing-IAM-Policies-How-to-grant-access-to-an-Amazon-S3-bucket
-- http://blogs.aws.amazon.com/security/post/Tx1P2T3LFXXCNB5/Writing-IAM-policies-Grant-access-to-user-specific-folders-in-an-Amazon-S3-bucke
+- Writing IAM Policies: How to Grant Access to an Amazon S3 Bucket: http://blogs.aws.amazon.com/security/post/Tx3VRSWZ6B3SHAV/Writing-IAM-Policies-How-to-grant-access-to-an-Amazon-S3-bucket
+- Writing IAM Policies: Grant Access to User-Specific Folders in an Amazon S3 Bucket: http://blogs.aws.amazon.com/security/post/Tx1P2T3LFXXCNB5/Writing-IAM-policies-Grant-access-to-user-specific-folders-in-an-Amazon-S3-bucke
 - Summary of S3 `Action` types and their use: http://docs.aws.amazon.com/AmazonS3/latest/dev/using-with-s3-actions.html
 - http://docs.aws.amazon.com/AmazonS3/latest/dev/amazon-s3-policy-keys.html
 - http://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_examples.html
diff --git a/README.md b/README.md
@@ -2,8 +2,8 @@
 - [Anonymous GET access](#anonymous-get-access)
 - [Anonymous GET access - match HTTP referrer](#anonymous-get-access---match-http-referrer)
 - [Full access for specific IAM user/role](#full-access-for-specific-iam-userrole)
-- [Put/delete access to specific path within a bucket](#putdelete-access-to-specific-path-within-a-bucket)
-- [List/put/delete access to specific path within a bucket](#listputdelete-access-to-specific-path-within-a-bucket)
+- [GET/PUT/DELETE access to specific path within a bucket](#getputdelete-access-to-specific-path-within-a-bucket)
+- [LIST/PUT/DELETE access to specific path within a bucket](#listputdelete-access-to-specific-path-within-a-bucket)
 - [Full access (and S3 console) for specific IAM users](#full-access-and-s3-console-for-specific-iam-users)
 
 ## Anonymous GET access
@@ -95,7 +95,7 @@
 }
 ```
 
-## Put/delete access to specific path within a bucket
+## GET/PUT/DELETE access to specific path within a bucket
 **Type:** user/group
 
 ```json
@@ -114,6 +114,7 @@
 		{
 			"Action": [
 				"s3:DeleteObject",
+				"s3:GetObject",
 				"s3:PutObject"
 			],
 			"Effect": "Allow",
@@ -125,9 +126,9 @@
 }
 ```
 
-**Note:** The `s3:ListBucket` action against the bucket as a whole allows for the *listing* of bucket objects.
+**Note:** The [`s3:ListBucket`](http://docs.aws.amazon.com/AmazonS3/latest/dev/using-with-s3-actions.html#using-with-s3-actions-related-to-buckets) action against the bucket as a whole allows for the *listing* of bucket objects.
 
-## List/put/delete access to specific path within a bucket
+## LIST/PUT/DELETE access to specific path within a bucket
 **Type:** user/group
 
 ```json
@@ -213,6 +214,6 @@
 ## Reference
 - http://blogs.aws.amazon.com/security/post/Tx3VRSWZ6B3SHAV/Writing-IAM-Policies-How-to-grant-access-to-an-Amazon-S3-bucket
 - http://blogs.aws.amazon.com/security/post/Tx1P2T3LFXXCNB5/Writing-IAM-policies-Grant-access-to-user-specific-folders-in-an-Amazon-S3-bucke
-- http://docs.aws.amazon.com/AmazonS3/latest/dev/using-with-s3-actions.html
+- Summary of S3 `Action` types and their use: http://docs.aws.amazon.com/AmazonS3/latest/dev/using-with-s3-actions.html
 - http://docs.aws.amazon.com/AmazonS3/latest/dev/amazon-s3-policy-keys.html
 - http://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_examples.html
diff --git a/README.md b/README.md
@@ -215,3 +215,4 @@
 - http://blogs.aws.amazon.com/security/post/Tx1P2T3LFXXCNB5/Writing-IAM-policies-Grant-access-to-user-specific-folders-in-an-Amazon-S3-bucke
 - http://docs.aws.amazon.com/AmazonS3/latest/dev/using-with-s3-actions.html
 - http://docs.aws.amazon.com/AmazonS3/latest/dev/amazon-s3-policy-keys.html
+- http://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_examples.html
diff --git a/README.md b/README.md
@@ -177,7 +177,9 @@
 }
 ```
 
-**Note:** This policy effectively provides protected user folders within an S3 bucket. The first `s3:ListBucket` action allows *listing only* of object paths at the root and under `BUCKET_PATH/`. The second `s3:ListBucket` allows for listing of all objects from the path of `BUCKET_PATH/BUCKET_SUB_PATH/` and below.
+**Note:** This policy effectively provides protected user folders within an S3 bucket:
+- The first `s3:ListBucket` action allows *listing only* of object paths at the root and under `BUCKET_PATH/`.
+- The second `s3:ListBucket` allows for listing of all objects from the path of `BUCKET_PATH/BUCKET_SUB_PATH/` and below.
 
 ## Full access (and S3 console) for specific IAM users
 **Type:** user/group

diff --git a/README.md b/README.md
@@ -125,7 +125,7 @@
 }
 ```
 
-Note: The `s3:ListBucket` action against the bucket as a whole allows for the *listing* of bucket objects.
+**Note:** The `s3:ListBucket` action against the bucket as a whole allows for the *listing* of bucket objects.
 
 ## List/put/delete access to specific path within a bucket
 **Type:** user/group
@@ -177,6 +177,8 @@ Note: The `s3:ListBucket` action against the bucket as a whole allows for the *l
 }
 ```
 
+**Note:** This policy effectively provides protected user folders within an S3 bucket. The first `s3:ListBucket` action allows *listing only* of object paths at the root and under `BUCKET_PATH/`. The second `s3:ListBucket` allows for listing of all objects from the path of `BUCKET_PATH/BUCKET_SUB_PATH/` and below.
+
 ## Full access (and S3 console) for specific IAM users
 **Type:** user/group
 

diff --git a/README.md b/README.md
@@ -210,3 +210,4 @@ Note: The `s3:ListBucket` action against the bucket as a whole allows for the *l
 - http://blogs.aws.amazon.com/security/post/Tx3VRSWZ6B3SHAV/Writing-IAM-Policies-How-to-grant-access-to-an-Amazon-S3-bucket
 - http://blogs.aws.amazon.com/security/post/Tx1P2T3LFXXCNB5/Writing-IAM-policies-Grant-access-to-user-specific-folders-in-an-Amazon-S3-bucke
 - http://docs.aws.amazon.com/AmazonS3/latest/dev/using-with-s3-actions.html
+- http://docs.aws.amazon.com/AmazonS3/latest/dev/amazon-s3-policy-keys.html
diff --git a/README.md b/README.md
@@ -3,6 +3,7 @@
 - [Anonymous GET access - match HTTP referrer](#anonymous-get-access---match-http-referrer)
 - [Full access for specific IAM user/role](#full-access-for-specific-iam-userrole)
 - [Put/delete access to specific path within a bucket](#putdelete-access-to-specific-path-within-a-bucket)
+- [List/put/delete access to specific path within a bucket](#listputdelete-access-to-specific-path-within-a-bucket)
 - [Full access (and S3 console) for specific IAM users](#full-access-and-s3-console-for-specific-iam-users)
 
 ## Anonymous GET access
@@ -126,6 +127,56 @@
 
 Note: The `s3:ListBucket` action against the bucket as a whole allows for the *listing* of bucket objects.
 
+## List/put/delete access to specific path within a bucket
+**Type:** user/group
+
+```json
+{
+	"Version": "2012-10-17",
+	"Statement": [
+		{
+			"Action": [
+				"s3:ListBucket"
+			],
+			"Condition": {
+				"StringEquals": {
+					"s3:delimiter": ["/"],
+					"s3:prefix": ["","BUCKET_PATH/"]
+				}
+			},
+			"Effect": "Allow",
+			"Resource": [
+				"arn:aws:s3:::BUCKET_NAME"
+			]
+		},
+		{
+			"Action": [
+				"s3:ListBucket"
+			],
+			"Condition": {
+				"StringLike": {
+					"s3:prefix": ["BUCKET_PATH/BUCKET_SUB_PATH/*"]
+				}
+			},
+			"Effect": "Allow",
+			"Resource": [
+				"arn:aws:s3:::BUCKET_NAME"
+			]
+		},
+		{
+			"Action": [
+				"s3:DeleteObject",
+				"s3:PutObject"
+			],
+			"Effect": "Allow",
+			"Resource": [
+				"arn:aws:s3:::BUCKET_NAME/BUCKET_PATH/BUCKET_SUB_PATH/*"
+			]
+		}
+	]
+}
+```
+
 ## Full access (and S3 console) for specific IAM users
 **Type:** user/group
 
@@ -157,4 +208,5 @@ Note: The `s3:ListBucket` action against the bucket as a whole allows for the *l
 
 ## Reference
 - http://blogs.aws.amazon.com/security/post/Tx3VRSWZ6B3SHAV/Writing-IAM-Policies-How-to-grant-access-to-an-Amazon-S3-bucket
+- http://blogs.aws.amazon.com/security/post/Tx1P2T3LFXXCNB5/Writing-IAM-policies-Grant-access-to-user-specific-folders-in-an-Amazon-S3-bucke
 - http://docs.aws.amazon.com/AmazonS3/latest/dev/using-with-s3-actions.html
diff --git a/README.md b/README.md
@@ -124,6 +124,8 @@
 }
 ```
 
+Note: The `s3:ListBucket` action against the bucket as a whole allows for the *listing* of bucket objects.
+
 ## Full access (and S3 console) for specific IAM users
 **Type:** user/group
 

diff --git a/README.md b/README.md
@@ -155,3 +155,4 @@
 
 ## Reference
 - http://blogs.aws.amazon.com/security/post/Tx3VRSWZ6B3SHAV/Writing-IAM-Policies-How-to-grant-access-to-an-Amazon-S3-bucket
+- http://docs.aws.amazon.com/AmazonS3/latest/dev/using-with-s3-actions.html
diff --git a/README.md b/README.md
@@ -1,8 +1,9 @@
 # AWS S3 bucket policy recipes
 - [Anonymous GET access](#anonymous-get-access)
-- [Anonymous GET access match HTTP referrer](#anonymous-get-access-match-http-referrer)
+- [Anonymous GET access - match HTTP referrer](#anonymous-get-access---match-http-referrer)
 - [Full access for specific IAM user/role](#full-access-for-specific-iam-userrole)
-- [Full access (and S3 weblogin) for specific IAM users](#full-access-and-s3-weblogin-for-specific-iam-users)
+- [Put/delete access to specific path within a bucket](#putdelete-access-to-specific-path-within-a-bucket)
+- [Full access (and S3 console) for specific IAM users](#full-access-and-s3-console-for-specific-iam-users)
 
 ## Anonymous GET access
 **Type:** bucket
@@ -29,7 +30,7 @@
 }
 ```
 
-## Anonymous GET access match HTTP referrer
+## Anonymous GET access - match HTTP referrer
 **Type:** bucket
 
 ```json
@@ -93,10 +94,38 @@
 }
 ```
 
-## Full access (and S3 weblogin) for specific IAM users
-**Type:** group/user
+## Put/delete access to specific path within a bucket
+**Type:** user/group
 
-**Note:** specifying both `arn:aws:s3:::BUCKET_NAME` and `arn:aws:s3:::BUCKET_NAME/*` under the `"Resource"` block allows the IAM user to list objects at the root level of the bucket.
+```json
+{
+	"Version": "2012-10-17",
+	"Statement": [
+		{
+			"Action": [
+				"s3:ListBucket"
+			],
+			"Effect": "Allow",
+			"Resource": [
+				"arn:aws:s3:::BUCKET_NAME"
+			]
+		},
+		{
+			"Action": [
+				"s3:DeleteObject",
+				"s3:PutObject"
+			],
+			"Effect": "Allow",
+			"Resource": [
+				"arn:aws:s3:::BUCKET_NAME/BUCKET_PATH/*"
+			]
+		}
+	]
+}
+```
+
+## Full access (and S3 console) for specific IAM users
+**Type:** user/group
 
 ```json
 {
@@ -117,10 +146,12 @@
 			],
 			"Effect": "Allow",
 			"Resource": [
-				"arn:aws:s3:::BUCKET_NAME",
 				"arn:aws:s3:::BUCKET_NAME/*"
 			]
 		}
 	]
 }
 ```
+
+## Reference
+- http://blogs.aws.amazon.com/security/post/Tx3VRSWZ6B3SHAV/Writing-IAM-Policies-How-to-grant-access-to-an-Amazon-S3-bucket
diff --git a/README.md b/README.md
@@ -76,12 +76,12 @@
 			"Effect": "Allow",
 			"Principal": {
 				"AWS": [
-					"arn:aws:iam::ACCOUNT_NUMBER:user/USERNAME_A",
-					"arn:aws:iam::ACCOUNT_NUMBER:user/USERNAME_B",
-					"arn:aws:iam::ACCOUNT_NUMBER:user/USERNAME_C",
-					"arn:aws:iam::ACCOUNT_NUMBER:role/ROLE_A",
-					"arn:aws:iam::ACCOUNT_NUMBER:role/ROLE_B",
-					"arn:aws:iam::ACCOUNT_NUMBER:role/ROLE_C"
+					"arn:aws:iam::ACCOUNT_ID:user/USERNAME_A",
+					"arn:aws:iam::ACCOUNT_ID:user/USERNAME_B",
+					"arn:aws:iam::ACCOUNT_ID:user/USERNAME_C",
+					"arn:aws:iam::ACCOUNT_ID:role/ROLE_A",
+					"arn:aws:iam::ACCOUNT_ID:role/ROLE_B",
+					"arn:aws:iam::ACCOUNT_ID:role/ROLE_C"
 				]
 			},
 			"Resource": [

diff --git a/README.md b/README.md
@@ -12,15 +12,15 @@
 	"Version": "2012-10-17",
 	"Statement": [
 		{
+			"Action": [
+				"s3:GetObject"
+			],
 			"Effect": "Allow",
 			"Principal": {
 				"AWS": [
 					"*"
 				]
 			},
-			"Action": [
-				"s3:GetObject"
-			],
 			"Resource": [
 				"arn:aws:s3:::BUCKET_NAME/*"
 			]
@@ -37,26 +37,26 @@
 	"Version": "2012-10-17",
 	"Statement": [
 		{
-			"Effect": "Allow",
-			"Principal": {
-				"AWS": [
-					"*"
-				]
-			},
 			"Action": [
 				"s3:GetObject"
 			],
-			"Resource": [
-				"arn:aws:s3:::BUCKET_NAME/*"
-			],
 			"Condition": {
 				"StringLike": {
 					"aws:Referer": [
 						"http://domain.com/*",
 						"http://www.domain.com/*"
 					]
 				}
-			}
+			},
+			"Effect": "Allow",
+			"Principal": {
+				"AWS": [
+					"*"
+				]
+			},
+			"Resource": [
+				"arn:aws:s3:::BUCKET_NAME/*"
+			]
 		}
 	]
 }
@@ -70,6 +70,9 @@
 	"Version": "2012-10-17",
 	"Statement": [
 		{
+			"Action": [
+				"s3:*"
+			],
 			"Effect": "Allow",
 			"Principal": {
 				"AWS": [
@@ -81,9 +84,6 @@
 					"arn:aws:iam::ACCOUNT_NUMBER:role/ROLE_C"
 				]
 			},
-			"Action": [
-				"s3:*"
-			],
 			"Resource": [
 				"arn:aws:s3:::BUCKET_NAME",
 				"arn:aws:s3:::BUCKET_NAME/*"
@@ -103,19 +103,19 @@
 	"Version": "2012-10-17",
 	"Statement": [
 		{
-			"Effect": "Allow",
 			"Action": [
 				"s3:ListAllMyBuckets"
 			],
+			"Effect": "Allow",
 			"Resource": [
 				"arn:aws:s3:::*"
 			]
 		},
 		{
-			"Effect": "Allow",
 			"Action": [
 				"s3:*"
 			],
+			"Effect": "Allow",
 			"Resource": [
 				"arn:aws:s3:::BUCKET_NAME",
 				"arn:aws:s3:::BUCKET_NAME/*"

diff --git a/README.md b/README.md
@@ -95,6 +95,7 @@
 
 ## Full access (and S3 weblogin) for specific IAM users
 **Type:** group/user
+
 **Note:** specifying both `arn:aws:s3:::BUCKET_NAME` and `arn:aws:s3:::BUCKET_NAME/*` under the `"Resource"` block allows the IAM user to list objects at the root level of the bucket.
 
 ```json

diff --git a/README.md b/README.md
@@ -1,4 +1,8 @@
 # AWS S3 bucket policy recipes
+- [Anonymous GET access](#anonymous-get-access)
+- [Anonymous GET access match HTTP referrer](#anonymous-get-access-match-http-referrer)
+- [Full access for specific IAM user/role](#full-access-for-specific-iam-userrole)
+- [Full access (and S3 weblogin) for specific IAM users](#full-access-and-s3-weblogin-for-specific-iam-users)
 
 ## Anonymous GET access
 **Type:** bucket
@@ -58,7 +62,7 @@
 }
 ```
 
-## Full access for specific IAM users
+## Full access for specific IAM user/role
 **Type:** bucket
 
 ```json
@@ -71,7 +75,10 @@
 				"AWS": [
 					"arn:aws:iam::ACCOUNT_NUMBER:user/USERNAME_A",
 					"arn:aws:iam::ACCOUNT_NUMBER:user/USERNAME_B",
-					"arn:aws:iam::ACCOUNT_NUMBER:user/USERNAME_C"
+					"arn:aws:iam::ACCOUNT_NUMBER:user/USERNAME_C",
+					"arn:aws:iam::ACCOUNT_NUMBER:role/ROLE_A",
+					"arn:aws:iam::ACCOUNT_NUMBER:role/ROLE_B",
+					"arn:aws:iam::ACCOUNT_NUMBER:role/ROLE_C"
 				]
 			},
 			"Action": [

diff --git a/README.md b/README.md
@@ -1,6 +1,6 @@
 # AWS S3 bucket policy recipes
 
-## Anonymous GET access (read-only)
+## Anonymous GET access
 **Type:** bucket
 
 ```json
@@ -25,6 +25,39 @@
 }
 ```
 
+## Anonymous GET access match HTTP referrer
+**Type:** bucket
+
+```json
+{
+	"Version": "2012-10-17",
+	"Statement": [
+		{
+			"Effect": "Allow",
+			"Principal": {
+				"AWS": [
+					"*"
+				]
+			},
+			"Action": [
+				"s3:GetObject"
+			],
+			"Resource": [
+				"arn:aws:s3:::BUCKET_NAME/*"
+			],
+			"Condition": {
+				"StringLike": {
+					"aws:Referer": [
+						"http://domain.com/*",
+						"http://www.domain.com/*"
+					]
+				}
+			}
+		}
+	]
+}
+```
+
 ## Full access for specific IAM users
 **Type:** bucket
 
@@ -54,7 +87,7 @@
 ```
 
 ## Full access (and S3 weblogin) for specific IAM users
-**Type:** group/user  
+**Type:** group/user
 **Note:** specifying both `arn:aws:s3:::BUCKET_NAME` and `arn:aws:s3:::BUCKET_NAME/*` under the `"Resource"` block allows the IAM user to list objects at the root level of the bucket.
 
 ```json

diff --git a/README.md b/README.md
@@ -45,6 +45,7 @@
 				"s3:*"
 			],
 			"Resource": [
+				"arn:aws:s3:::BUCKET_NAME",
 				"arn:aws:s3:::BUCKET_NAME/*"
 			]
 		}

diff --git a/README.md b/README.md
@@ -0,0 +1,84 @@
+# AWS S3 bucket policy recipes
+
+## Anonymous GET access (read-only)
+**Type:** bucket
+
+```json
+{
+	"Version": "2012-10-17",
+	"Statement": [
+		{
+			"Effect": "Allow",
+			"Principal": {
+				"AWS": [
+					"*"
+				]
+			},
+			"Action": [
+				"s3:GetObject"
+			],
+			"Resource": [
+				"arn:aws:s3:::BUCKET_NAME/*"
+			]
+		}
+	]
+}
+```
+
+## Full access for specific IAM users
+**Type:** bucket
+
+```json
+{
+	"Version": "2012-10-17",
+	"Statement": [
+		{
+			"Effect": "Allow",
+			"Principal": {
+				"AWS": [
+					"arn:aws:iam::ACCOUNT_NUMBER:user/USERNAME_A",
+					"arn:aws:iam::ACCOUNT_NUMBER:user/USERNAME_B",
+					"arn:aws:iam::ACCOUNT_NUMBER:user/USERNAME_C"
+				]
+			},
+			"Action": [
+				"s3:*"
+			],
+			"Resource": [
+				"arn:aws:s3:::BUCKET_NAME/*"
+			]
+		}
+	]
+}
+```
+
+## Full access (and S3 weblogin) for specific IAM users
+**Type:** group/user  
+**Note:** specifying both `arn:aws:s3:::BUCKET_NAME` and `arn:aws:s3:::BUCKET_NAME/*` under the `"Resource"` block allows the IAM user to list objects at the root level of the bucket.
+
+```json
+{
+	"Version": "2012-10-17",
+	"Statement": [
+		{
+			"Effect": "Allow",
+			"Action": [
+				"s3:ListAllMyBuckets"
+			],
+			"Resource": [
+				"arn:aws:s3:::*"
+			]
+		},
+		{
+			"Effect": "Allow",
+			"Action": [
+				"s3:*"
+			],
+			"Resource": [
+				"arn:aws:s3:::BUCKET_NAME",
+				"arn:aws:s3:::BUCKET_NAME/*"
+			]
+		}
+	]
+}
+```