Here Read is publicly allowed, but write/delete can be done by IAM user only
{ "Version": "2012-10-17", "Statement": [ { "Sid": "ServeSiteMedias", "Effect": "Allow", "Principal": "*", "Action": [ "s3:GetObject", "s3:GetObjectAttributes", "s3:GetObjectVersion" ], "Resource": "arn:aws:s3:::bucketname/*" }, { "Sid": "PutReadDeleteSiteMedias", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::1234567890:user/username" }, "Action": [ "s3:DeleteObject", "s3:GetObject", "s3:PutObject" ], "Resource": "arn:aws:s3:::bucketname/*" } ] }