This is the minimal policy for an application to access only an AWS S3 bucket in which it would upload / download files and generate signed urls for public access.

Sad eggs

    "Version": "2012-10-17",
    "Statement": [
            "Effect": "Allow",
            "Action": [
            "Resource": [

Create a IAM user. Attach the above policy with bucket-name replaced.

Enjoy and remember to ignore all people that suggest you attach a give all permissions policy. You don’t give your house keys to strangers, right?