Policy file for WordPress W3TC and S3-based CDNs

If you are using S3 as a CDN, you will need to give WordPress’ W3TC plugin access to your AWS account so it can upload files to S3 on behalf of you. The smart way to do this is to create a new AWS user who can only access what they need for W3TC to do its job. Who wants to store the keys to their whole AWS account in their WordPress based site? If that information is retrieved by a hacker, they could do tons of damage. If they only gain access to your site’s specific bucket, there is less damage to be done.

Here’s what a policy file will look like for a S3 user for W3TC. Unfortunately it does need the ability to list all your buckets, but all the other read/write/delete permissions can be limited to the site-specific bucket.

{
  "Statement": [
    {
      "Action": "s3:*",
      "Effect": "Allow",
      "Resource": ["arn:aws:s3:::bucketnamehere", "arn:aws:s3:::bucketnamehere/*"]
    },
    {
      "Effect": "Allow",
      "Action": "s3:ListAllMyBuckets",
      "Resource": "arn:aws:s3:::*"
    }
  ]
}

If you give the user incorrect permissions, you will see ‘permission denied’ errors when W3TC tries to run the functions S3::listBucket and S3::putObject.