Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions,
see Getting Started with Amazon Web Services in China
(PDF).
Examples of policy summaries
The following examples include JSON policies with their associated policy summaries, the service summaries, and the
action summaries to help you
understand the permissions given through a policy.
Policy 1: DenyCustomerBucket
This policy demonstrates an allow and a deny for the same service.
- JSON
-
-
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "FullAccess",
"Effect": "Allow",
"Action": ["s3:*"],
"Resource": ["*"]
},
{
"Sid": "DenyCustomerBucket",
"Action": ["s3:*"],
"Effect": "Deny",
"Resource": ["arn:aws:s3:::customer", "arn:aws:s3:::customer/*" ]
}
]
}
DenyCustomerBucket Policy
Summary:
DenyCustomerBucket S3 (Explicit deny) Service
Summary:
GetObject (Read) Action
Summary:
Policy 2: DynamoDbRowCognitoID
This policy provides row-level access to Amazon DynamoDB based on the user's Amazon Cognito ID.
- JSON
-
-
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"dynamodb:DeleteItem",
"dynamodb:GetItem",
"dynamodb:PutItem",
"dynamodb:UpdateItem"
],
"Resource": [
"arn:aws:dynamodb:us-west-1:123456789012:table/myDynamoTable"
],
"Condition": {
"ForAllValues:StringEquals": {
"dynamodb:LeadingKeys": [
"${cognito-identity.amazonaws.com:sub}"
]
}
}
}
]
}
DynamoDbRowCognitoID Policy
Summary:
DynamoDbRowCognitoID DynamoDB (Allow) Service
Summary:
GetItem (List) Action
Summary:
Policy 3: MultipleResourceCondition
This policy includes multiple resources and conditions.
- JSON
-
-
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:PutObjectAcl"
],
"Resource": ["arn:aws:s3:::Apple_bucket/*"],
"Condition": {"StringEquals": {"s3:x-amz-acl": ["public-read"]}}
},
{
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:PutObjectAcl"
],
"Resource": ["arn:aws:s3:::Orange_bucket/*"],
"Condition": {"StringEquals": {
"s3:x-amz-acl": ["custom"],
"s3:x-amz-grant-full-control": ["1234"]
}}
}
]
}
MultipleResourceCondition Policy
Summary:
MultipleResourceCondition S3 (Allow) Service
Summary:
PutObject (Write) Action
Summary:
Policy 4: EC2_troubleshoot
The following policy allows users to get a screenshot of a running Amazon EC2 instance, which
can help with EC2 troubleshooting. This policy also permits viewing information about the
items in the Amazon S3 developer bucket.
- JSON
-
-
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ec2:GetConsoleScreenshot"
],
"Resource": [
"*"
]
},
{
"Effect": "Allow",
"Action": [
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::developer"
]
}
]
}
EC2_Troubleshoot Policy
Summary:
EC2_Troubleshoot S3 (Allow) Service
Summary:
ListBucket (List) Action
Summary:
Policy 5: CodeBuild_CodeCommit_CodeDeploy
This policy provides access to specific CodeBuild, CodeCommit, and CodeDeploy resources. Because these
resources are specific to each service, they appear only with the matching service. If you
include a resource that does not match any services in the Action
element, then
the resource appears in all action summaries.
- JSON
-
-
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1487980617000",
"Effect": "Allow",
"Action": [
"codebuild:*",
"codecommit:*",
"codedeploy:*"
],
"Resource": [
"arn:aws:codebuild:us-west-2:123456789012:project/my-demo-project",
"arn:aws:codecommit:us-west-2:123456789012:MyDemoRepo",
"arn:aws:codedeploy:us-west-2:123456789012:application:WordPress_App",
"arn:aws:codedeploy:us-west-2:123456789012:instance/AssetTag*"
]
}
]
}
CodeBuild_CodeCommit_CodeDeploy Policy
Summary:
CodeBuild_CodeCommit_CodeDeploy CodeBuild
(Allow) Service Summary:
CodeBuild_CodeCommit_CodeDeploy StartBuild
(Write) Action Summary: