AMAZINGLY DIFFICULT (BAD UX!):
S3 bucket policy
Effect: Allow Principal: "AWS":"" (this means anonymous users) AWS Service: Amazon S3 Actions: All checkbox Amazon Resource Name: arn:aws:s3:::mybucketname/ Add Conditions: awsSourceIP: 11.250.157.100/30
Add Statement
AGAIN (this time for anon read only)
Effect: Allow Principal: "AWS":"" (this means anonymous users) AWS Service: Amazon S3 Actions: Get Object, List Bucket Amazon Resource Name: arn:aws:s3:::mybucketname/ Add Conditions: awsSourceIP: 130.130.130.130/24
Add Statement
GENERATE POLICY (finally) ... BUT this stupid thing doesn't make valid json (http://jsonlint.com) SO manually modify a good policy example with the "ideas" from the generator... =(
EXAMPLE S3 BUCKET POLICIES
Allow Anon access to objects
{ "Version": "2008-10-17", "Id": "Policy1379353832200", "Statement": [ { "Sid": "Stmt1379353830433", "Action": [ "s3:GetObject" ], "Effect": "Allow", "Resource": "arn:aws:s3:::my-bucket/", "Principal": { "AWS": "" } } ] }
Allow Anon access to objects AND list bucket
{ "Id": "Policy1379354408907", "Statement": [ { "Sid": "Stmt1379354387778", "Action": [ "s3:GetObject" ], "Effect": "Allow", "Resource": "arn:aws:s3:::my-bucket/", "Principal": { "AWS": [ "\"\"" ] } }, { "Sid": "Stmt1379354406018", "Action": [ "s3:ListBucket" ], "Effect": "Allow", "Resource": "arn:aws:s3:::my-bucket", "Principal": { "AWS": [ "\"*\"" ] } } ] }
Allow specific ip all access
{ "Statement": [ { "Effect": "Allow", "Principal": { "AWS": "" }, "Action": "s3:", "Resource": "arn:aws:s3:::my-bucket/", "Condition": { "IpAddress": { "aws:SourceIp": ["11.103.28.0/24"] } } }, { "Effect": "Allow", "Principal": { "AWS": "" }, "Action": [ "s3:ListBucket", "s3:GetObject" ], "Resource": "arn:aws:s3:::my-bucket/*", "Condition": { "IpAddress": { "aws:SourceIp": ["130.130.28.0/24", "120.220.152.224/28", "200.120.126.0/24"] } } } ] }
EXAMPLE S3 BUCKET POLICY
{ "Version": "2008-10-17", "Id": "S3PolicyId1", "Statement": [ { "Sid": "IPAllow", "Effect": "Allow", "Principal": { "AWS": "" }, "Action": "s3:", "Resource": "arn:aws:s3:::my-bucket/*", "Condition": { "IpAddress": { "aws:SourceIp": ["11.250.157.102/32","130.103.28.243/32"] }, "NotIpAddress" : { "aws:SourceIp": "192.168.143.188/32" } } } ] }
Amazon S3 Bucket Policies and Permissions can be a nightmare
After creating the bucket and choosing Static Website Hosting
Upload index.html (use the webclient for the most accurate fidelity of ACL's)
Click the checkbox next to index.html and Actions -> Make Public (this creates a permission for the Object of Open/Download) Actions -> Properties will show you the object with a Permissions (expand, if it doesn't exist you may have uploaded via s3fox and gotten the object into a bad state)
Authenticated Users - This group consists of any user that has an Amazon AWS Account. Everyone - This group grants anonymous access to your bucket. Log Delivery - This group grants write access to your bucket when the bucket is used to stored server access logs.
List - Allows the grantee to view a list of the objects in the bucket. Upload/Delete - Allows the grantee to access the object when they logged in. View Permissions - Allows the grantee to view the permissions associated with the object. Edit Permissions - Allows the grantee to edit the permissions associated with the object.
Note that HTTPS access may not work unless you use https://s3.amazonaws.com/mybucket/index.html