Research bucket policies

[simonw]

An optional flag for attaching bucket policies to the new s3 bucket. These are just like IAM user policies, but attached to the bucket itself.

Originally posted by @zacaytion in #7 (comment)

I need to research bucket policies to fully understand what kinds of things they are useful for and how they should be supported by this tool.

[simonw]

The examples in the documentation are useful for understanding what these can do: https://docs.aws.amazon.com/AmazonS3/latest/userguide/example-bucket-policies.html#example-bucket-policies-use-case-2

This example in particular looks useful:

The following example policy grants the s3:GetObject permission to any public anonymous users

{
  "Version":"2012-10-17",
  "Statement":[
    {
      "Sid":"PublicRead",
      "Effect":"Allow",
      "Principal": "*",
      "Action":["s3:GetObject","s3:GetObjectVersion"],
      "Resource":["arn:aws:s3:::DOC-EXAMPLE-BUCKET/*"]
    }
  ]
}

This will only have an effect if the bucket doesn't have a "block public access setting", see #20.

Two other examples that caught my interest were:

• Limiting access to specific IP addresses
• Granting permission to an Amazon CloudFront OAI where OAI = origin access identity - so you can grant public access to your bucket contents only via a CDN and not via S3 directly