A set of permissions to be used on Amazon Web Services Simple Storage Service (AWS S3) buckets. Each of them should be attached to a different group. The set imitates the Unix permissions model (rwx), where x would be administrative access to the bucket.
Read (download) access to objects in ‘bucket-name’. No write access and no access to bucket properties except as needed in order to navigate in AWS console (ListAllMyBuckets and GetBucketLocation).
{
"Version":"2012-10-17",
"Statement":[
{
"Effect":"Allow",
"Action":[
"s3:GetObject*",
"s3:List*",
"s3:GetBucketLocation"
],
"Resource":[
"arn:aws:s3:::bucket-name",
"arn:aws:s3:::bucket-name/*"
]
},
{
"Effect":"Allow",
"Action":[
"s3:ListAllMyBuckets"
],
"Resource":"arn:aws:s3:::*"
}
]
}
Write (upload/remove) access to objects in ‘bucket-name’. No read access and no access to bucket properties except as needed in order to navigate in AWS console (ListAllMyBuckets and GetBucketLocation).
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:AbortMultipartUpload",
"s3:DeleteObject*",
"s3:List*",
"s3:PutObject*",
"s3:RestoreObject",
"s3:GetBucketLocation"
],
"Resource": [
"arn:aws:s3:::bucket-name",
"arn:aws:s3:::bucket-name/*"
]
},
{
"Effect": "Allow",
"Action": [
"s3:ListAllMyBuckets"
],
"Resource": "arn:aws:s3:::*"
}
]
}
Administrative access to bucket, but not to objects within. Meaning it can view/set bucket policies, but has no access to the bucket contents. Can set lifecycle policy though, so there is some access to objects within.
{
"Version":"2012-10-17",
"Statement":[
{
"Effect":"Allow",
"Action":[
"s3:DeleteBucket*",
"s3:GetBucket*",
"s3:GetLifecycleConfiguration",
"s3:List*",
"s3:PutBucket*",
"s3:PutLifecycleConfiguration"
],
"Resource":[
"arn:aws:s3:::bucket-name",
"arn:aws:s3:::bucket-name/*"
]
},
{
"Effect":"Allow",
"Action":[
"s3:ListAllMyBuckets"
],
"Resource":"arn:aws:s3:::*"
}
]
}