The TopoShare platform only requires a handful of functions to operate nominally on the S3 platform. By utilizing AWS Identity and Access Management (IAM), you can create a TopoShare AWS user and apply the policy detailed below in order to limit the scope of the user's permissions in your AWS environment. The following permission policy details the minimum permissions for full functionality and restricts actions to the specified bucket name. Be sure to plug in your own bucket name in the bolded portions.

{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:GetBucketCORS",
"s3:ListBucket",
"s3:PutBucketCORS",
"s3:DeleteObject"
],
"Resource": [
"arn:aws:s3:::bucketname/*",
"arn:aws:s3:::bucketname"
]
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": "s3:ListAllMyBuckets",
"Resource": "*"
}
]
}



The ListAllMyBuckets function is only used to test the connection, but the platform technically works without it. There would just be no way of testing the credentials beyond uploading a project to verify the credentials are functioning.

The following permission policy without the ListAllMyBuckets:

{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:GetBucketCORS",
"s3:ListBucket",
"s3:PutBucketCORS",
"s3:DeleteObject"
],
"Resource": [
"arn:aws:s3:::bucketname/*",
"arn:aws:s3:::bucketname"
]
}
]
}