Steps to auto generate AWS S3 Policy that you can use to provide access rights according to requirement:
→ Open S3 from AWS console:
1. Click on AWS bucket
2. Now, click properties
3. Click on Add bucket policy:
4. Now, Click on AWS Policy Generator:
Else use the link to open tool:
http://awspolicygen.s3.amazonaws.com/policygen.html
5. Now, Select the type of policy from drop down list, then use ( * ) to apply in whole bucket, then select the appropriate action which you want to perform:
6. And now finally provide the ARN as mentioned in below snapshot:
Sample of S3 Policy
1. List all buckets in S3:
{ "Version": "2012-10-17", "Statement": [ { "Sid": "AllowGroupToSeeBucketListInTheConsole", "Action": ["s3:ListAllMyBuckets"], "Effect": "Allow", "Resource": ["arn:aws:s3:::*"] } ] }
2. Below policy is to restrict the S3 bucket from being accessible only from specific locations using their Static IP address:
{ "Version": "2008-10-17", "Id": "S3PolicyId1", "Statement": [ { "Sid": "IPAllow", "Effect": "Allow", "Principal": { "AWS": "*" }, "Action": "s3:*", "Resource": "arn:aws:s3:::naviwaf/*", "Condition": { "IpAddress": { "aws:SourceIp": [ "55.50.40.51/32", "55.17.141.20/32" ]} } } ] }
3. Read-only access from everywhere policy:
{ "Id": "Policy1491566744687", "Version": "2012-10-17", "Statement": [ { "Sid": "Stmt1491566743019", "Action": [ "s3:GetObject" ], "Effect": "Allow", "Resource": "arn:aws:s3:::naviwaf/*", "Principal": "*" }] }
4. Read, Write and List all contents of the bucket:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "s3:Get*", "s3:List*", "s3:Put*" ], "Resource": "*" } ] }