Example S3 Policy: User Reverseable Read-Only Policy¶
You should remove any lifecycle policies prior to putting this in place (unless you want them to keep working).
Text Only
{
"Version": "2012-10-17",
"Id": "ReadOnlyPolicy",
"Statement": [
{
"Sid": "AllowGet",
"Effect": "Allow",
"Principal": {
"AWS": ["arn:aws:iam::$tenant:user/$user"]
},
"Action": [
"s3:DeleteBucketPolicy",
"s3:PutBucketPolicy",
"s3:GetObject",
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3::$tenant:$bucket",
"arn:aws:s3::$tenant:$bucket/*"
]
},
{
"Sid": "DenyPut",
"Effect": "Deny",
"Principal": {
"AWS": ["arn:aws:iam::$tenant:user/$user"]
},
"Action": [
"s3:DeleteBucket",
"s3:DeleteBucketWebsite",
"s3:DeleteObject",
"s3:DeleteObjectVersion",
"s3:DeleteReplicationConfiguration",
"s3:PutAccelerateConfiguration",
"s3:PutBucketAcl",
"s3:PutBucketCORS",
"s3:PutBucketLogging",
"s3:PutBucketNotification",
"s3:PutBucketRequestPayment",
"s3:PutBucketTagging",
"s3:PutBucketVersioning",
"s3:PutBucketWebsite",
"s3:PutLifecycleConfiguration",
"s3:PutObjectAcl",
"s3:PutObject",
"s3:PutObjectVersionAcl",
"s3:PutReplicationConfiguration",
"s3:RestoreObject"
],
"Resource": [
"arn:aws:s3::$tenant:$bucket",
"arn:aws:s3::$tenant:$bucket/*"
]
}
]
}