Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- # Advanced S3 policy
- ## Enforcing prefix equal to the name of the user:
- ```json
- {
- "Version": "2012-10-17",
- "Statement": [
- {
- "Action": ["s3:ListBucket"],
- "Effect": "Allow",
- "Resource": ["arn:aws:s3:::gatitos"],
- "Condition": {"StringLike": {"s3:prefix": ["${aws:username}/*"]}}
- },
- {
- "Action": [
- "s3:GetObject",
- "s3:PutObject"
- ],
- "Effect": "Allow",
- "Resource": ["arn:aws:s3:::gatitos/${aws:username}/*"]
- }
- ]
- }
- ```
- ## Grating access from another account
- ```json
- {
- "Version":"2012-10-17",
- "Statement":[
- {
- "Sid":"AddCannedAcl",
- "Effect":"Allow",
- "Principal": {"AWS": ["arn:aws:iam::111122223333:root","arn:aws:iam::444455556666:root"]},
- "Action":["s3:PutObject","s3:PutObjectAcl"],
- "Resource":"arn:aws:s3:::DOC-EXAMPLE-BUCKET/*",
- "Condition":{"StringEquals":{"s3:x-amz-acl":["public-read"]}}
- }
- ]
- }
- ```
- ## Granting public read access (dangerous!)
- ```json
- {
- "Version":"2012-10-17",
- "Statement":[
- {
- "Sid":"PublicRead",
- "Effect":"Allow",
- "Principal": "*",
- "Action":["s3:GetObject","s3:GetObjectVersion"],
- "Resource":["arn:aws:s3:::DOC-EXAMPLE-BUCKET/*"]
- }
- ]
- }
- ```
- ## Granting access from IP
- ```json
- {
- "Version": "2012-10-17",
- "Id": "S3PolicyId1",
- "Statement": [
- {
- "Sid": "IPAllow",
- "Effect": "Deny",
- "Principal": "*",
- "Action": "s3:*",
- "Resource": [
- "arn:aws:s3:::DOC-EXAMPLE-BUCKET;",
- "arn:aws:s3:::DOC-EXAMPLE-BUCKET/*"
- ],
- "Condition": {
- "NotIpAddress": {"aws:SourceIp": "54.240.143.0/24"}
- }
- }
- ]
- }
- ```
- ## Granting access from Cloudfront
- ```json
- {
- "Version": "2012-10-17",
- "Id": "PolicyForCloudFrontPrivateContent",
- "Statement": [
- {
- "Effect": "Allow",
- "Principal": {
- "AWS": "arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity EH1HDMB1FH2TC"
- },
- "Action": "s3:GetObject",
- "Resource": "arn:aws:s3:::DOC-EXAMPLE-BUCKET/*"
- }
- ]
- }
- ```
- ## Enforcing MFA
- ```json
- {
- "Version": "2012-10-17",
- "Id": "123",
- "Statement": [
- {
- "Sid": "",
- "Effect": "Deny",
- "Principal": "*",
- "Action": "s3:*",
- "Resource": "arn:aws:s3:::DOC-EXAMPLE-BUCKET/taxdocuments/*",
- "Condition": { "Null": { "aws:MultiFactorAuthAge": true }}
- }
- ]
- }
- ```
- ## More examples
- https://docs.aws.amazon.com/AmazonS3/latest/dev/example-bucket-policies.html
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement