From dc2b5a3f000177488d177def70563bcb6a931de0 Mon Sep 17 00:00:00 2001
From: Michele Cereda <cereda.michele@gmail.com>
Date: Wed, 24 Apr 2024 19:10:19 +0200
Subject: [PATCH] chore(kb/aws): iam policy example

---
 knowledge base/cloud computing/aws/README.md | 39 ++++++++++++++++++++
 knowledge base/cloud computing/aws/s3.md     |  3 ++
 2 files changed, 42 insertions(+)

diff --git a/knowledge base/cloud computing/aws/README.md b/knowledge base/cloud computing/aws/README.md
index 6928834..e7caad6 100644
--- a/knowledge base/cloud computing/aws/README.md	
+++ b/knowledge base/cloud computing/aws/README.md	
@@ -10,6 +10,7 @@
    1. [Security Hub](#security-hub)
 1. [Resource constraints](#resource-constraints)
 1. [Access control](#access-control)
+   1. [IAM policies](#iam-policies)
 1. [Further readings](#further-readings)
    1. [Sources](#sources)
 
@@ -170,6 +171,44 @@ From [Using service-linked roles]:
 > Service-linked roles appear in your AWS account and are owned by the service. An IAM administrator can view, but not
 > edit the permissions for service-linked roles.
 
+### IAM policies
+
+Examples:
+
+<details>
+  <summary>Give a user temporary RO access to a bucket</summary>
+
+```json
+{
+  "Version": "2012-10-17",
+  "Statement": [{
+    "Effect": "Allow",
+    "Principal": {
+      "AWS": [
+        "arn:aws:iam::012345678901:user/my-user"
+      ],
+    },
+    "Action": [
+      "s3:GetObject",
+      "s3:GetObjectAttributes",
+      "s3:ListBucket",
+      "s3:ListBucketVersions",
+    ],
+    "Resource": [
+      "arn:aws:s3:::my-bucket",
+      "arn:aws:s3:::my-bucket/*",
+    ],
+    "Condition": {
+      "DateLessThan": {
+        "aws:CurrentTime": "2024-03-01T00:00:00Z",
+      },
+    },
+  }],
+}
+```
+
+</details>
+
 ## Further readings
 
 - [EC2]
diff --git a/knowledge base/cloud computing/aws/s3.md b/knowledge base/cloud computing/aws/s3.md
index 6307fe7..aa5f382 100644
--- a/knowledge base/cloud computing/aws/s3.md	
+++ b/knowledge base/cloud computing/aws/s3.md	
@@ -63,6 +63,9 @@ aws s3 sync '.' 's3://arn:aws:s3:us-west-2:123456789012:accesspoint/myaccesspoin
 # Delete buckets.
 aws s3 rb 's3://my-bucket'
 aws s3 rb 's3://my-bucket' --force
+
+# Check permissions.
+aws s3api get-bucket-acl --bucket 'my-bucket'
 ```
 
 </details>