cfbarbero/S3 Bucket Policy Examples.md

Created May 14, 2020 03:23

Star (0) You must be signed in to star a gist
Fork (0) You must be signed in to fork a gist

Learn more about clone URLs
Clone this repository at <script src="https://gist.github.com/cfbarbero/96b8a840ff103967a06313919d2340cf.js"></script>
Save cfbarbero/96b8a840ff103967a06313919d2340cf to your computer and use it in GitHub Desktop.

Raw

Website bucket policy allowing access from a specific IP address OR from account IAM

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "PublicReadGetObject",
            "Effect": "Allow",
            "Principal": "*",
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::<bucket>/*"
        },
        {
            "Sid": "IPAllow",
            "Effect": "Deny",
            "Principal": "*",
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::<bucket>/*",
            "Condition": {
                "NotIpAddress": {
                    "aws:SourceIp": "<some IP>/32"
                },
                "StringNotEquals": {
                    "aws:PrincipalAccount": "<account>"
                }
            }
        }
    ]
}