I had a need to make sure that a particular application (technically a specific environment of an application) could only play in its own S3 bucket. I couldn't find any examples of this in the IAM documentation, so I ended up finding a similar example on the AWS forums and making some changes. Here's what I used: