We had a security incident where an attacker attempted to use AWS access credentials to list all of our S3 bucket contents. By scoping S3 IAM users to a single bucket, we can limit the potential blast radius should credentials be leaked.
Note that the ARN is specific to an S3 bucket. You can alter this part with your own bucket. You may also wish to expand the operations, for example allowing users to delete bucket items as well.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"s3:GetObjectRetention",
"s3:GetObjectVersionTagging",
"s3:GetObjectAttributes",
"s3:GetObjectLegalHold",
"s3:GetObjectVersionAttributes",
"s3:GetObjectVersionTorrent",
"s3:PutObject",
"s3:GetObjectAcl",
"s3:GetObject",
"s3:GetObjectTorrent",
"s3:GetObjectVersionAcl",
"s3:GetObjectTagging",
"s3:GetObjectVersionForReplication",
"s3:GetObjectVersion"
],
"Resource": "arn:aws:s3:::YOUR-BUCKET/*"
}
]
}