S3 IAM Policies

Read-only bucket

AWS PolicyTerraform

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "FindAndListBucket",
      "Effect": "Allow",
      "Action": ["s3:GetBucketLocation", "s3:ListBucket"],
      "Resource": "arn:${Partition}:s3:::${Bucket}"
    },
    {
      "Sid": "GetObjects",
      "Effect": "Allow",
      "Action": [
        "s3:GetObject",
        "s3:GetObjectAcl",
        "s3:GetObjectLegalHold",
        "s3:GetObjectRetention",
        "s3:GetObjectTagging"
      ],
      "Resource": "arn:${Partition}:s3:::${Bucket}/*"
    }
  ]
}

data "aws_iam_policy_document" "read_only_bucket" {
  statement {
    sid       = "FindAndListBucket"
    effect    = "Allow"
    resources = ["arn:${Partition}:s3:::${Bucket}"]

    actions = [
      "s3:GetBucketLocation",
      "s3:ListBucket",
    ]
  }

  statement {
    sid       = "GetObjects"
    effect    = "Allow"
    resources = ["arn:${Partition}:s3:::${Bucket}/*"]

    actions = [
      "s3:GetObject",
      "s3:GetObjectAcl",
      "s3:GetObjectLegalHold",
      "s3:GetObjectRetention",
      "s3:GetObjectTagging",
    ]
  }
}

Read-only bucket with prefix

AWS PolicyTerraform

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "FindBucket",
      "Effect": "Allow",
      "Action": "s3:GetBucketLocation",
      "Resource": "arn:${Partition}:s3:::${Bucket}"
    },
    {
      "Sid": "ListBucketWithPrefix",
      "Effect": "Allow",
      "Action": "s3:ListBucket",
      "Resource": "arn:${Partition}:s3:::${Bucket}",
      "Condition": {
        "StringLike": {
          "s3:prefix": "${Prefix}/*"
        }
      }
    },
    {
      "Sid": "GetObjectsWithPrefix",
      "Effect": "Allow",
      "Action": [
        "s3:GetObject",
        "s3:GetObjectAcl",
        "s3:GetObjectLegalHold",
        "s3:GetObjectRetention",
        "s3:GetObjectTagging"
      ],
      "Resource": "arn:${Partition}:s3:::${Bucket}/${Prefix}/*"
    }
  ]
}

data "aws_iam_policy_document" "read_only_bucket_with_prefix" {
  statement {
    sid       = "FindBucket"
    effect    = "Allow"
    resources = ["arn:${Partition}:s3:::${Bucket}"]
    actions   = ["s3:GetBucketLocation"]
  }

  statement {
    sid       = "ListBucketWithPrefix"
    effect    = "Allow"
    resources = ["arn:${Partition}:s3:::${Bucket}"]
    actions   = ["s3:ListBucket"]

    condition {
      test     = "StringLike"
      variable = "s3:prefix"
      values   = ["${Prefix}/*"]
    }
  }

  statement {
    sid       = "GetObjectsWithPrefix"
    effect    = "Allow"
    resources = ["arn:${Partition}:s3:::${Bucket}/${Prefix}/*"]

    actions = [
      "s3:GetObject",
      "s3:GetObjectAcl",
      "s3:GetObjectLegalHold",
      "s3:GetObjectRetention",
      "s3:GetObjectTagging",
    ]
  }
}

Read/write bucket

AWS PolicyTerraform

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "FindAndListBucket",
      "Effect": "Allow",
      "Action": ["s3:GetBucketLocation", "s3:ListBucket"],
      "Resource": "arn:${Partition}:s3:::${Bucket}"
    },
    {
      "Sid": "ManageObjects",
      "Effect": "Allow",
      "Action": [
        "s3:DeleteObject",
        "s3:GetObject",
        "s3:GetObjectAcl",
        "s3:GetObjectLegalHold",
        "s3:GetObjectRetention",
        "s3:GetObjectTagging",
        "s3:PutObject"
      ],
      "Resource": "arn:${Partition}:s3:::${Bucket}/*"
    }
  ]
}

data "aws_iam_policy_document" "read_write_bucket" {
  statement {
    sid       = "FindAndListBucket"
    effect    = "Allow"
    resources = ["arn:${Partition}:s3:::${Bucket}"]

    actions = [
      "s3:GetBucketLocation",
      "s3:ListBucket",
    ]
  }

  statement {
    sid       = "ManageObjects"
    effect    = "Allow"
    resources = ["arn:${Partition}:s3:::${Bucket}/*"]

    actions = [
      "s3:DeleteObject",
      "s3:GetObject",
      "s3:GetObjectAcl",
      "s3:GetObjectLegalHold",
      "s3:GetObjectRetention",
      "s3:GetObjectTagging",
      "s3:PutObject",
    ]
  }
}

Read/write bucket with prefix

AWS PolicyTerraform

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "FindBucket",
      "Effect": "Allow",
      "Action": "s3:GetBucketLocation",
      "Resource": "arn:${Partition}:s3:::${Bucket}"
    },
    {
      "Sid": "ListBucketWithPrefix",
      "Effect": "Allow",
      "Action": "s3:ListBucket",
      "Resource": "arn:${Partition}:s3:::${Bucket}",
      "Condition": {
        "StringLike": {
          "s3:prefix": "${Prefix}/*"
        }
      }
    },
    {
      "Sid": "ManageObjectsWithPrefix",
      "Effect": "Allow",
      "Action": [
        "s3:DeleteObject",
        "s3:GetObject",
        "s3:GetObjectAcl",
        "s3:GetObjectLegalHold",
        "s3:GetObjectRetention",
        "s3:GetObjectTagging",
        "s3:PutObject"
      ],
      "Resource": "arn:${Partition}:s3:::${Bucket}/${Prefix}/*"
    }
  ]
}

data "aws_iam_policy_document" "read_write_bucket_with_prefix" {
  statement {
    sid       = "FindBucket"
    effect    = "Allow"
    resources = ["arn:${Partition}:s3:::${Bucket}"]
    actions   = ["s3:GetBucketLocation"]
  }

  statement {
    sid       = "ListBucketWithPrefix"
    effect    = "Allow"
    resources = ["arn:${Partition}:s3:::${Bucket}"]
    actions   = ["s3:ListBucket"]

    condition {
      test     = "StringLike"
      variable = "s3:prefix"
      values   = ["${Prefix}/*"]
    }
  }

  statement {
    sid       = "ManageObjectsWithPrefix"
    effect    = "Allow"
    resources = ["arn:${Partition}:s3:::${Bucket}/${Prefix}/*"]

    actions = [
      "s3:DeleteObject",
      "s3:GetObject",
      "s3:GetObjectAcl",
      "s3:GetObjectLegalHold",
      "s3:GetObjectRetention",
      "s3:GetObjectTagging",
      "s3:PutObject",
    ]
  }
}