🤖

S3-Policies

2 notes  •  IoT & AI
HomeIoT & AI › S3-Policies

S3 IAM Policy for Uploading Videos

This IAM policy grants an application or user permission to list a specific S3 bucket and upload/retrieve video objects with tagging support.

Policy JSON

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "AllowBucketListing",
      "Effect": "Allow",
      "Action": "s3:ListBucket",
      "Resource": "arn:aws:s3:::your-input-bucket"
    },
    {
      "Sid": "AllowObjectManagement",
      "Effect": "Allow",
      "Action": [
        "s3:PutObject",
        "s3:GetObject",
        "s3:PutObjectTagging",
        "s3:GetObjectTagging"
      ],
      "Resource": "arn:aws:s3:::your-input-bucket/*"
    }
  ]
}

Apply

# Attach to an IAM user or role in the AWS Console:
# IAM -> Users -> your-user -> Add permissions -> Attach policies directly
# Or using the CLI:
aws iam put-user-policy \
  --user-name your-uploader-user \
  --policy-name VideoUploadPolicy \
  --policy-document file://upload-policy.json

Notes

  • Replace your-input-bucket with your actual bucket name.
  • Use IAM roles (not access keys) for EC2 instances and Lambda functions.
  • Restrict to specific prefixes with arn:aws:s3:::bucket/uploads/* for finer-grained control.

S3 IAM Policy for ML Model: Read Input, Write Annotated Output

This IAM policy allows an ML model or processing service to read from an input video bucket and write annotated results to a separate output bucket — following the principle of least privilege.

Policy JSON

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "AllowReadFromInputBucket",
      "Effect": "Allow",
      "Action": [
        "s3:GetObject",
        "s3:GetObjectTagging",
        "s3:ListBucket"
      ],
      "Resource": [
        "arn:aws:s3:::your-input-bucket",
        "arn:aws:s3:::your-input-bucket/*"
      ]
    },
    {
      "Sid": "AllowWriteToAnnotatedBucket",
      "Effect": "Allow",
      "Action": [
        "s3:PutObject",
        "s3:PutObjectTagging",
        "s3:ListBucket"
      ],
      "Resource": [
        "arn:aws:s3:::your-annotated-bucket",
        "arn:aws:s3:::your-annotated-bucket/*"
      ]
    }
  ]
}

Apply

# Attach to the IAM role used by the ML service (e.g. EC2 instance role or Lambda role)
aws iam put-role-policy \
  --role-name ml-processing-role \
  --policy-name MLVideoProcessingPolicy \
  --policy-document file://ml-policy.json

Notes

  • Use separate buckets for input and annotated output to avoid accidental overwrites.
  • The ML model only needs GetObject on the input bucket — PutObject is intentionally absent to prevent it from modifying source files.
  • Attach this policy to an IAM role and assign the role to your EC2 instance or Lambda function — never embed access keys in application code.