From f0c2d0d7cdfdefe5fe99604353802aa186aa85fa Mon Sep 17 00:00:00 2001
From: Lining Pan <lining.pan@manifesttech.io>
Date: Wed, 10 May 2023 14:48:39 -0400
Subject: [PATCH] docs: improve AWS policy

---
 README.md | 16 ++++++++++++++--
 1 file changed, 14 insertions(+), 2 deletions(-)

diff --git a/README.md b/README.md
index b153073..a20880f 100644
--- a/README.md
+++ b/README.md
@@ -289,7 +289,10 @@ For non-public buckets, this will require an update to the bucket policy. The fo
     "Principal": {
         "AWS": "arn:aws:iam::618523879050:federated-user/<username>"        
     },
-    "Action": "s3:PutObject*",
+    "Action": [
+        "s3:AbortMultipartUpload",
+        "s3:PutObject*"
+    ],
     "Resource": "arn:aws:s3:::<your-s3-bucket>/*"
 }
 ```
@@ -306,7 +309,16 @@ The following statement should be added to your key's policy:
         "AWS":  "arn:aws:iam::618523879050:user/DownloadManager"
     },
     "Action": ["kms:GenerateDataKey","kms:Decrypt"],
-    "Resource": "*"
+    "Resource": "*",
+    "Condition": {
+        "StringEquals": {
+            "kms:CallerAccount": "618523879050",
+            "kms:ViaService": "s3.us-east-1.amazonaws.com"
+        },
+        "StringLike": {
+            "kms:EncryptionContext:aws:s3:arn": "arn:aws:s3:::<bucket_name>"
+        }
+    }
 }
 ```
 ## Further Assistance