AWS/S3 Bucket Policies
Working with JSON
Download Notepad++ plugin nppjsonviewer. Install the plugin by just dropping the DLL in the plugin folder. You can also use Plugin Manager bu going to Plugins > Plugin Manager > Show Plugin Manager > find JSON Viewer last current version 1.21.
Plugin shows the JSON in a tree format in a separate frame, it also formats JSON in a readable format in the main Notepad++ window. To format a JSON string, paste it into Notepad++ and select it. Then go to Plugins > JSON Viewer > Format JSON [Ctrl+Alt+Shift+M] and it should instantly format it for you, then choose Show JSON Viewer [Ctrl+Alt+Shift+J]
Policy Examples
Read-only access to certain S3 buckets
A sample AWS IAM json policy file with read-only access to certain S3 buckets. Formatted by JSON Viewer in NP++
{
"Statement": [{
"Effect": "Allow",
"Action": ["s3:ListBucket",
"s3:GetObject",
"s3:GetObjectVersion"],
"Resource": ["arn:aws:s3:::my_bucket/*",
"arn:aws:s3:::my_bucket"]
}],
"Statement": [{
"Effect": "Allow",
"Action": ["s3:ListBucket",
"s3:GetObject",
"s3:GetObjectVersion"],
"Resource": ["arn:aws:s3:::my_other_bucket/*",
"arn:aws:s3:::my_other_bucket"]
}],
"Statement": [{
"Effect": "Allow",
"Action": ["s3:ListAllMyBuckets"],
"Resource": "*",
"Condition": {
}
}]
}
Limited access to users named buckets
This policy structure can be used in a scenario you have someone to administrate a group of clients to that can upload their files that are too big for an email to be send to you. In this case you can create following three groups where users in bucketsadmins group have full access to a company AWS account and can create a user, add, remove, create access keys for your clients. Then these clients need to be placed in bucketusers to lock them down only to one bucket where they have only API access.
- admins - full account administration access to a console and API
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "*",
"Resource": "*"
}
]
}
- bucketsadmins -these users have a full console & API user management access on bucketusers group and full access to S3 within AWS account
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowUsersToPerformUserActions",
"Effect": "Allow",
"Action": [
"iam:*User",
"iam:ListUsers",
"iam:ListGroups",
"iam:*UserPolicy",
"iam:ListGroupsForUser",
"iam:ListUserPolicies",
"iam:*LoginProfile",
"iam:*AccessKey*",
"iam:*SigningCertificate*",
"iam:*MFADevice*"
],
"Resource": [
"arn:aws:iam::account-id-without-hyphens:user/*",
"arn:aws:iam::account-id-without-hyphens:group/*"
]
},
{
"Sid": "AllowUsersToAddAndDeleteUserFromGroup",
"Effect": "Allow",
"Action": [
"iam:RemoveUserFromGroup",
"iam:AddUserToGroup"
],
"Resource": [
"arn:aws:iam::account-id-without-hyphens:group/bucketusers"
]
},
{
"Sid": "AllowUsersToSeeStatsOnIAMConsoleDashboard",
"Effect": "Allow",
"Action": [
"iam:GetAccount*",
"iam:ListAccount*"
],
"Resource": [
"*"
]
},
{
"Sid": "S3FullAccess",
"Effect": "Allow",
"Action": "s3:*",
"Resource": "*"
}
]
}
- bucketusers -users have full API access to their buckets named xyzcompany-awsusername
{
"Version": "2012-10-17",
"Statement":[
{
"Effect":"Allow",
"Action":[
"s3:ListAllMyBuckets"
],
"Resource":"arn:aws:s3:::*"
},
{
"Effect":"Allow",
"Action":[
"s3:ListBucket",
"s3:GetBucketLocation"
],
"Resource":"arn:aws:s3:::xyzcompany-${aws:username}"
},
{
"Effect":"Allow",
"Action":[
"s3:PutObject",
"s3:GetObject",
"s3:DeleteObject"
],
"Resource":"arn:aws:s3:::xyzcompany-${aws:username}/*"
}
]
}