{
  "Version": "2012-10-17",
  "Statement": [
    { 
      "Sid": "GeneralUserListBucketPermissions",
      "Effect": "Allow",
      "Principal": "*",
      "Action": [
        "s3:ListBucket"
      ],
      "Resource": "arn:aws:s3:::<BUCKET-NAME-HERE>",
      "Condition": {
        "StringEquals": {
          "aws:RequestedRegion": "us-east-1"
        },
        "IpAddress": {
          "aws:SourceIp": "x.x.x.x/32"
        }
      }
    },
    {
      "Sid": "RestrictUsersToIndividualFolders",
      "Effect": "Allow",
      "Principal": "*",
      "Action": [
        "s3:PutObject",
        "s3:GetObject"
      ],
      "Resource": "arn:aws:s3:::<BUCKET-NAME-HERE>/Engineering/${aws:username}/*",
      "Condition": {
        "StringEquals": {
          "aws:RequestedRegion": "us-east-1"
        },
        "IpAddress": {
          "aws:SourceIp": "x.x.x.x/32"
        }
      }
    },
    {
      "Sid": "EnforceAES256EncryptionOnEncryptedFolder",
      "Effect": "Allow",
      "Principal": "*",
      "Action": [
        "s3:PutObject"
      ],
      "Resource": "arn:aws:s3:::<BUCKET-NAME-HERE>/Engineering/encrypted/*",
      "Condition": {
        "StringEquals": {
          "s3:x-amz-server-side-encryption": "AES256"
        },
        "IpAddress": {
          "aws:SourceIp": "x.x.x.x/32"
        }
      }
    }
  ]
}