AWS/S3 Bucket Policies
Working with JSON
Download Notepad++ plugin nppjsonviewer. Install the plugin by just dropping the DLL in the plugin folder. You can also use Plugin Manager bu going to Plugins > Plugin Manager > Show Plugin Manager > find JSON Viewer last current version 1.21.
Plugin shows the JSON in a tree format in a separate frame, it also formats JSON in a readable format in the main Notepad++ window. To format a JSON string, paste it into Notepad++ and select it. Then go to Plugins > JSON Viewer > Format JSON [Ctrl+Alt+Shift+M] and it should instantly format it for you, then choose Show JSON Viewer [Ctrl+Alt+Shift+J]
Policy Examples
Read-only access to certain S3 buckets
A sample AWS IAM json policy file with read-only access to certain S3 buckets. Formatted by JSON Viewer in NP++
{
"Statement": [{
"Effect": "Allow",
"Action": ["s3:ListBucket",
"s3:GetObject",
"s3:GetObjectVersion"],
"Resource": ["arn:aws:s3:::my_bucket/*",
"arn:aws:s3:::my_bucket"]
}],
"Statement": [{
"Effect": "Allow",
"Action": ["s3:ListBucket",
"s3:GetObject",
"s3:GetObjectVersion"],
"Resource": ["arn:aws:s3:::my_other_bucket/*",
"arn:aws:s3:::my_other_bucket"]
}],
"Statement": [{
"Effect": "Allow",
"Action": ["s3:ListAllMyBuckets"],
"Resource": "*",
"Condition": {
}
}]
}
Limited access to users named buckets
This policy structure can be used when you want to have someone to administrate one of groups where you have your clients to upload their files that are too big for an email. In this case you can create following three groups:
- admins - full account administration access to a console and API
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "*",
"Resource": "*"
}
]
}
- bucketsadmins -these users have a full console & API user management access on bucketusers group and full access to S3 within AWS account
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowUsersToPerformUserActions",
"Effect": "Allow",
"Action": [
"iam:*User",
"iam:ListUsers",
"iam:ListGroups",
"iam:*UserPolicy",
"iam:ListGroupsForUser",
"iam:ListUserPolicies",
"iam:*LoginProfile",
"iam:*AccessKey*",
"iam:*SigningCertificate*",
"iam:*MFADevice*"
],
"Resource": [
"arn:aws:iam::account-id-without-hyphens:user/*",
"arn:aws:iam::account-id-without-hyphens:group/*"
]
},
{
"Sid": "AllowUsersToAddAndDeleteUserFromGroup",
"Effect": "Allow",
"Action": [
"iam:RemoveUserFromGroup",
"iam:AddUserToGroup"
],
"Resource": [
"arn:aws:iam::account-id-without-hyphens:group/bucketusers"
]
},
{
"Sid": "AllowUsersToSeeStatsOnIAMConsoleDashboard",
"Effect": "Allow",
"Action": [
"iam:GetAccount*",
"iam:ListAccount*"
],
"Resource": [
"*"
]
},
{
"Sid": "S3FullAccess",
"Effect": "Allow",
"Action": "s3:*",
"Resource": "*"
}
]
}
- bucketusers -users have full API access to their buckets named xyzcompany-awsusername
{
"Version": "2012-10-17",
"Statement":[
{
"Effect":"Allow",
"Action":[
"s3:ListAllMyBuckets"
],
"Resource":"arn:aws:s3:::*"
},
{
"Effect":"Allow",
"Action":[
"s3:ListBucket",
"s3:GetBucketLocation"
],
"Resource":"arn:aws:s3:::xyzcompany-${aws:username}"
},
{
"Effect":"Allow",
"Action":[
"s3:PutObject",
"s3:GetObject",
"s3:DeleteObject"
],
"Resource":"arn:aws:s3:::xyzcompany-${aws:username}/*"
}
]
}