AWS/Policy/s3-signed-url
- Example of policy allowing single resource in s3 to be downloaded using signed url
Also allows s3 access from single ip 99.99.120.55/32
{
"Version": "2008-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": "*",
"Action": "s3:GetObject",
"Resource": [
"arn:aws:s3:::c11284a125440l871709t1w055333526116-s3bucket-16swdvc80comq/*",
"arn:aws:s3:::c11284a125440l871709t1w055333526116-s3bucket-16swdvc80comq"
],
"Condition": {
"IpAddress": {
"aws:SourceIp": [
"99.99.120.55/32"
]
}
}
},
{
"Sid": "DenyOneObjectIfRequestNotSigned",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::c11284a125440l871709t1w055333526116-s3bucket-16swdvc80comq/report.html",
"Condition": {
"StringNotEquals": {
"s3:authtype": "REST-QUERY-STRING"
}
}
}
]
}