設定

  • 特定のIAMユーザが更新可能
  • あるアクセス元IPアドレスからは閲覧可能
  • その他はアクセス拒否
{
    "Version": "2012-10-17",
    "Id": "Policy[XXX]",
    "Statement": [
        {
            "Sid": "Stmt[XXX]",
            "Effect": "Deny",
            "NotPrincipal": {
                "AWS": "arn:aws:iam::[XXX]"
            },
            "Action": [
                "s3:PutObject",
                "s3:GetObject"
            ],
            "Resource": "arn:aws:s3:::[XXX]/*",
            "Condition": {
                "NotIpAddress": {
                    "aws:SourceIp": [
                        "XXX",
                        "XXX"
                    ]
                }
            }
        },
        {
            "Sid": "Stmt[XXX]",
            "Effect": "Allow",
            "Principal": "*",
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::[XXX]/*",
            "Condition": {
                "IpAddress": {
                    "aws:SourceIp": [
                        "XXX",
                        "XXX"
                    ]
                }
            }
        },
        {
            "Sid": "AllowBucketAndObjectsAccessFromDeploy",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::[XXX]"
            },
            "Action": [
                "s3:PutObject",
                "s3:GetObject"
            ],
            "Resource": "arn:aws:s3:::[XXX]/*"

        }
    ]
}

参考