AWS: Useful AWS Bucket Policies

I plan to add more of these over time but for starters, here are a few helpful bucket policies I use while hosting static websites on AWS S3.

ACCESS

Public Access

If you're building an Angular app or a single landing page, this is pretty much all you need.

{
    "Version": "2012-10-17",
    "Id": "Policy1486443919047",
    "Statement": [
        {
            "Sid": "AllowPublicRead",
            "Effect": "Allow",
            "Principal": {
                "AWS": "*"
            },
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::www.mydomain.com/*"
        }
    ]
}

Limited Public Access

Suppose you have multiple folders within an S3 bucket and you want to provide limited access to your media but not your logs. Here's a simple example.

{
    "Version": "2012-10-17",
    "Id": "Policy1486443919047",
    "Statement": [
        {
            "Sid": "AllowPublicRead",
            "Effect": "Allow",
            "Principal": {
                "AWS": "*"
            },
            "Action": "s3:GetObject",
            "Resource": [
                "arn:aws:s3:::www.mydomain.com/podcasts/*",
                "arn:aws:s3:::www.mydomain.com/images/*",
                "arn:aws:s3:::www.mydomain.com.fm/videos/*"
            ]
        },
        {
            "Sid": "DenyPublicRead",
            "Effect": "Deny",
            "Principal": {
                "AWS": "*"
            },
            "Action": "s3:GetObject",
            "Resource": [
                "arn:aws:s3:::www.mydomain.com/logs/*"
            ]
        }
    ]
}

SAFEGUARDS

Measures designed to help to protect someone or something from doing something undesirable.

Prevent your team from accidentally deleting a bucket website

If you're hosting a website on S3, you probably want to include this at the very minimum. This has saved my life many many times.

This is also helpful when you're using an S3 bucket as a website redirect.

{
    "Version": "2012-10-17",
    "Id": "Policy1486196939555",
    "Statement": [
        {
            "Sid": "Stmt1486196931891",
            "Effect": "Deny",
            "Principal": "*",
            "Action": [
                "s3:DeleteBucket",
                "s3:DeleteBucketWebsite"
            ],
            "Resource": "arn:aws:s3:::www.mydomain.com"
        }
    ]
}