{ "Statement": [ { "Action": [ "s3:DeleteBucket", "s3:DeleteBucketPolicy", "s3:DeleteBucketWebsite", "s3:ObjectOwnerOverrideToBucketOwner", "s3:PutAccelerateConfiguration", "s3:PutAnalyticsConfiguration", "s3:PutBucketAcl", "s3:PutBucketCORS", "s3:PutBucketLogging", "s3:PutBucketNotification", "s3:PutBucketObjectLockConfiguration", "s3:PutBucketOwnershipControls", "s3:PutBucketPolicy", "s3:PutBucketPublicAccessBlock", "s3:PutBucketRequestPayment", "s3:PutBucketTagging", "s3:PutBucketVersioning", "s3:PutBucketWebsite", "s3:PutEncryptionConfiguration", "s3:PutIntelligentTieringConfiguration", "s3:PutInventoryConfiguration", "s3:PutLifecycleConfiguration", "s3:PutMetricsConfiguration", "s3:PutObjectAcl", "s3:PutObjectLegalHold", "s3:PutObjectRetention", "s3:PutObjectVersionAcl", "s3:PutReplicationConfiguration" ], "Condition": { "ArnEquals": { "aws:PrincipalArn": [ "arn:aws:iam::123456789012:user/ci", "arn:aws:iam::123456789012:user/person1" ] } }, "Effect": "Allow", "Principal": { "AWS": "*" }, "Resource": [ "${Token[TOKEN.24]}", "${Token[TOKEN.24]}/*" ], "Sid": "Allow Restricted administer-resource" }, { "Action": [ "s3:GetAccelerateConfiguration", "s3:GetAnalyticsConfiguration", "s3:GetBucketAcl", "s3:GetBucketCORS", "s3:GetBucketLocation", "s3:GetBucketLogging", "s3:GetBucketNotification", "s3:GetBucketObjectLockConfiguration", "s3:GetBucketOwnershipControls", "s3:GetBucketPolicy", "s3:GetBucketPolicyStatus", "s3:GetBucketPublicAccessBlock", "s3:GetBucketRequestPayment", "s3:GetBucketTagging", "s3:GetBucketVersioning", "s3:GetBucketWebsite", "s3:GetEncryptionConfiguration", "s3:GetIntelligentTieringConfiguration", "s3:GetInventoryConfiguration", "s3:GetLifecycleConfiguration", "s3:GetMetricsConfiguration", "s3:GetObjectAcl", "s3:GetObjectAttributes", "s3:GetObjectLegalHold", "s3:GetObjectRetention", "s3:GetObjectTagging", "s3:GetObjectVersionAcl", "s3:GetObjectVersionAttributes", "s3:GetObjectVersionTagging", "s3:GetReplicationConfiguration", "s3:ListBucketMultipartUploads", "s3:ListBucketVersions", "s3:ListMultipartUploadParts" ], "Condition": { "ArnEquals": { "aws:PrincipalArn": [ "arn:aws:iam::123456789012:user/ci", "arn:aws:iam::123456789012:user/person1", "arn:aws:iam::123456789012:role/k9-auditor", "arn:aws:iam::123456789012:role/aws-service-role/access-analyzer.amazonaws.com/AWSServiceRoleForAccessAnalyzer" ] } }, "Effect": "Allow", "Principal": { "AWS": "*" }, "Resource": [ "${Token[TOKEN.24]}", "${Token[TOKEN.24]}/*" ], "Sid": "Allow Restricted read-config" }, { "Action": [ "s3:GetObject", "s3:GetObjectTorrent", "s3:GetObjectVersion", "s3:GetObjectVersionForReplication", "s3:GetObjectVersionTorrent", "s3:ListBucket" ], "Condition": { "ArnEquals": { "aws:PrincipalArn": [ "arn:aws:iam::123456789012:role/app-backend", "arn:aws:iam::123456789012:role/customer-service" ] } }, "Effect": "Allow", "Principal": { "AWS": "*" }, "Resource": [ "${Token[TOKEN.24]}", "${Token[TOKEN.24]}/*" ], "Sid": "Allow Restricted read-data" }, { "Action": [ "s3:AbortMultipartUpload", "s3:InitiateReplication", "s3:PutBucketTagging", "s3:PutObject", "s3:PutObjectTagging", "s3:PutObjectVersionTagging", "s3:ReplicateDelete", "s3:ReplicateObject", "s3:ReplicateTags", "s3:RestoreObject" ], "Condition": { "ArnEquals": { "aws:PrincipalArn": [ "arn:aws:iam::123456789012:role/app-backend" ] } }, "Effect": "Allow", "Principal": { "AWS": "*" }, "Resource": [ "${Token[TOKEN.24]}", "${Token[TOKEN.24]}/*" ], "Sid": "Allow Restricted write-data" }, { "Action": [ "s3:DeleteObject", "s3:DeleteObjectTagging", "s3:DeleteObjectVersion", "s3:DeleteObjectVersionTagging" ], "Condition": { "ArnEquals": { "aws:PrincipalArn": [] } }, "Effect": "Allow", "Principal": { "AWS": "*" }, "Resource": [ "${Token[TOKEN.24]}", "${Token[TOKEN.24]}/*" ], "Sid": "Allow Restricted delete-data" }, { "Action": "s3:*", "Condition": { "Bool": { "aws:SecureTransport": false } }, "Effect": "Deny", "Principal": { "AWS": "*" }, "Resource": [ "${Token[TOKEN.24]}", "${Token[TOKEN.24]}/*" ], "Sid": "DenyInsecureCommunications" }, { "Action": [ "s3:PutObject", "s3:ReplicateObject" ], "Condition": { "Null": { "s3:x-amz-server-side-encryption": true } }, "Effect": "Deny", "Principal": { "AWS": "*" }, "Resource": [ "${Token[TOKEN.24]}", "${Token[TOKEN.24]}/*" ], "Sid": "DenyUnencryptedStorage" }, { "Action": [ "s3:PutObject", "s3:ReplicateObject" ], "Condition": { "StringNotEquals": { "s3:x-amz-server-side-encryption": "aws:kms" } }, "Effect": "Deny", "Principal": { "AWS": "*" }, "Resource": [ "${Token[TOKEN.24]}", "${Token[TOKEN.24]}/*" ], "Sid": "DenyUnexpectedEncryptionMethod" }, { "Action": "s3:*", "Condition": { "ArnNotEquals": { "aws:PrincipalArn": [ "arn:aws:iam::123456789012:user/ci", "arn:aws:iam::123456789012:user/person1", "arn:aws:iam::123456789012:role/k9-auditor", "arn:aws:iam::123456789012:role/aws-service-role/access-analyzer.amazonaws.com/AWSServiceRoleForAccessAnalyzer", "arn:aws:iam::123456789012:role/app-backend", "arn:aws:iam::123456789012:role/customer-service" ] } }, "Effect": "Deny", "Principal": { "AWS": [ "*", "*" ] }, "Resource": [ "${Token[TOKEN.24]}", "${Token[TOKEN.24]}/*" ], "Sid": "DenyEveryoneElse" } ], "Version": "2012-10-17" }