A set of permissions to be used on Amazon Web Services Simple Storage Service (AWS S3) buckets. Each of them should be attached to a different group. The set imitates the Unix permissions model (rwx), where x would be administrative access to the bucket.

Read (download) access to objects in ‘bucket-name’. No write access and no access to bucket properties except as needed in order to navigate in AWS console (ListAllMyBuckets and GetBucketLocation).

{
  “Version”:”2012-10-17″,
  “Statement”:[
    {
      “Effect”:”Allow”,
      “Action”:[
        “s3:GetObject*”,
        “s3:List*”,
        “s3:GetBucketLocation”
      ],
      “Resource”:[
        “arn:aws:s3:::bucket-name”,
        “arn:aws:s3:::bucket-name/*”
      ]
    },
    {
      “Effect”:”Allow”,
      “Action”:[
        “s3:ListAllMyBuckets”
      ],
      “Resource”:”arn:aws:s3:::*”
    }
  ]
}