Use an Amazon S3 bucket per application / application and environment

I had a need to make sure that a particular application (technically a specific environment of an application) could only play in its own S3 bucket. I couldn't find any examples of this in the IAM documentation, so I ended up finding a similar example on the AWS forums and making some changes. Here's what I used:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
{
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:ListBucket",
"s3:GetBucketAcl",
"s3:GetBucketVersioning",
"s3:GetBucketRequestPayment",
"s3:GetBucketLocation",
"s3:GetBucketPolicy"
],
"Resource": "arn:aws:s3:::YOUR_BUCKET_NAME_HERE",
"Condition": {}
},
{
"Effect": "Allow",
"Action": "s3:*",
"Resource": "arn:aws:s3:::YOUR_BUCKET_NAME_HERE/*",
"Condition": {}
},
{
"Effect": "Deny",
"Action": "s3:*",
"Condition": {},
"NotResource": "arn:aws:s3:::YOUR_BUCKET_NAME_HERE/*"
}
]
}

Hopefully this helps others ☺