An S3 bucket policy to allow full-access for a single bucket.

When I have a new project that requires some Ama­zon S3 stor­age, I try to do the ​“right thing” for secu­ri­ty by cre­at­ing a new user and a new buck­et entire­ly. I don’t want to share any cre­den­tials across projects.

That means after I have cre­at­ed my S3 buck­et I neeed to assign a user with the appro­pri­ate per­mis­sions. For me, that typ­i­cal­ly means I want this new user to have full access to man­age that buck­et and no oth­ers.

Since I have to dig around every time I do this to cre­ate the pol­i­cy, I decid­ed to post it here. In the exam­ple below, my buck­et name is ​“mybucket­name”. Cre­ative!

You can assign this pol­i­cy to your user direct­ly or apply it to a group of users.

About the Sid line, I’ve added that because the buck­et I’m cre­at­ing will now, by default, make the files I’m upload­ing avail­able to the pub­lic. Regard­ing this set­ting, the Ama­zon docs say ​“The Sid (state­ment ID) is an option­al iden­ti­fi­er that you pro­vide for the pol­i­cy state­ment.” So, basi­cal­ly, I think it’s there to help you iden­ti­fy the pol­i­cy’s role next time you come take a look at the pol­i­cy state­ment.

In prac­ti­cle terms, I’m using this buck­et to store images I’m upload­ing from a web form for use by an API. I want those uploaded images view­able by the world and ​“Allow­Pub­li­cRead” is hope­ful­ly a way for me to quick­ly iden­ti­fy that lat­er.

{
    "Version": "2012-10-17",
    "Statement": [
        {
           "Effect": "Allow",
           "Action": [
             "s3:GetBucketLocation",
             "s3:ListAllMyBuckets"
           ],
           "Resource": "*"
         },
        {
            "Sid": "AllowPublicRead",
            "Effect": "Allow",
            "Action": [
                "s3:*"
            ],
            "Resource": [
                "arn:aws:s3:::mybucketname",
                "arn:aws:s3:::mybucketname/*"
            ]
        }
    ]
}

Update

I’m no longer using the above IAM pol­i­cy. Here’s the IAM pol­i­cy I’ve migrat­ed to as of 2023. This includ­ed per­mis­sions for Cloud­Front, which I use to dis­trib­ute images from the S3 buck­et.

{
"Version": "2012-10-17",
"Statement": [
    {
        "Effect": "Allow",
        "Action": [
            "s3:ListAllMyBuckets"
        ],
        "Resource": "*"
    },
    {
        "Effect": "Allow",
        "Action": [
            "s3:GetBucketLocation",
            "s3:ListBucket",
            "s3:PutObject",
            "s3:GetObject",
            "s3:DeleteObject",
            "s3:GetObjectAcl",
            "s3:PutObjectAcl",
            "cloudfront:ListInvalidations",
            "cloudfront:GetInvalidation",
            "cloudfront:CreateInvalidation"
        ],
        "Resource": [
            "arn:aws:s3:::assets.example.com/site-assets/*",
            "arn:aws:s3:::assets.example.com",
            "arn:aws:cloudfront::REPLACEME:distribution/REPLACEME"
        ]
    },
    {
        "Effect": "Allow",
        "Action": [
            "s3:GetBucketLocation",
            "s3:ListBucket"
        ],
        "Resource": [
            "arn:aws:s3:::assets.example.com"
        ]
    }
]
}