Steps to auto generate AWS S3 Policy that you can use to provide access rights according to requirement:
→ Open S3 from AWS console:
1. Click on AWS bucket
2. Now, click properties
3. Click on Add bucket policy:
4. Now, Click on AWS Policy Generator:
Else use the link to open tool:
http://awspolicygen.s3.amazonaws.com/policygen.html
5. Now, Select the type of policy from drop down list, then use ( * ) to apply in whole bucket, then select the appropriate action which you want to perform:
6. And now finally provide the ARN as mentioned in below snapshot:
Sample of S3 Policy
1. List all buckets in S3:
{
"Version": "2012-10-17",
"Statement":
[
{
"Sid": "AllowGroupToSeeBucketListInTheConsole",
"Action": ["s3:ListAllMyBuckets"],
"Effect": "Allow",
"Resource": ["arn:aws:s3:::*"]
}
]
}
2. Below policy is to restrict the S3 bucket from being accessible only from specific locations using their Static IP address:
{
"Version": "2008-10-17",
"Id": "S3PolicyId1",
"Statement": [
{
"Sid": "IPAllow",
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": "s3:*",
"Resource": "arn:aws:s3:::naviwaf/*",
"Condition": {
"IpAddress": {
"aws:SourceIp": [
"55.50.40.51/32",
"55.17.141.20/32"
]}
}
}
]
}
3. Read-only access from everywhere policy:
{
"Id": "Policy1491566744687",
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1491566743019",
"Action": [
"s3:GetObject"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::naviwaf/*",
"Principal": "*"
}]
}
4. Read, Write and List all contents of the bucket:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:Get*",
"s3:List*",
"s3:Put*"
],
"Resource": "*"
}
]
}