S3 bucket policy examples
Grant full permission to another account
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 | {
"Version": "2012-10-17",
"Id": "PolicyForPrincipal",
"Statement": [
{
"Sid": "AccountAllow",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::XXXXXX:root"
},
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::myBucket",
"arn:aws:s3:::myBucket/*"
]
}
]
}
|
Notes
- The principal points to the root of the account, if you want to specify a user in that account, this must be delegated from IAM policy of that account
- Resources must contain the bucket itself if you want to grant "ListObject" operation
Grant read/write from specific set of IP addresses
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 | {
"Version": "2012-10-17",
"Id": "PolicyForIP",
"Statement": [
{
"Sid": "IPAllow",
"Effect": "Allow",
"Principal": "*",
"Action": "s3:*",
"Resource": "arn:aws:s3:::myBucket/*",
"Condition": {
"IpAddress": {
"aws:SourceIp": [
"10.10.10.10/32",
"168.0.0.10/32"
]
}
}
}
]
}
|
No comments:
Post a Comment