{
    "Version": "2012-10-17",
    "Statement": [
        {
          "Effect": "Allow",
          "Action": [
            "s3:GetBucketLocation",
            "s3:ListBucket"
          ],
          "Resource": [
            "arn:aws:s3:::{{ item.bucket }}"
          ]
        },
{% if item.permissions == 'read-write' %}
        {
            "Effect": "Deny",
            "Action": [
                "s3:PutBucketPolicy",
                "s3:PutEncryptionConfiguration"
            ],
            "Resource": [
                "arn:aws:s3:::{{ item.bucket }}/*"
            ]
        },
{% endif %}
        {
            "Effect": "Allow",
            "Action": [
{% if item.permissions == 'read-write' %}
                "s3:*"
{% elif item.permissions == 'read-only' %}
                "s3:GetObject"
{% endif %}
            ],
            "Resource": [
                "arn:aws:s3:::{{ item.bucket }}/*"
            ]
        }
    ]
}