Create a secure S3 Bucket

Create an S3 bucket with an Access Control List with no public access, but with root account access and access from the current user.
Then modify the Bucket Policy to be of this form. Details of how to determine the values of the highlighted text may be found here: How to Restrict Amazon S3 Bucket Access to a Specific IAM Role

A summary follows of how to derive the values (for AWS experts):

775488040364 AWS Account number

lansa-secure S3 Secure Bucket name

AROAI4S5N5QLPZ5QHQIJ2 RoleId of paas-ec2 (aws iam get-role -–role-name ROLE-NAME)

AIDAJFF4TKJHEGHMMDUUQ IAM UserId of the administrator (aws iam get-user -–user-name USER-NAME)

{

    "Version": "2012-10-17",

    "Statement": [

        {

            "Effect": "Allow",

            "Principal": {

                "AWS": "arn:aws:iam::775488040364:role/paas-ec2"

            },

            "Action": "s3:ListBucket",

            "Resource": "arn:aws:s3:::lansa-secure"

        },

        {

            "Effect": "Allow",

            "Principal": {

                "AWS": "arn:aws:iam::775488040364:role/paas-ec2"

            },

            "Action": [

                "s3:GetObject",

                "s3:PutObject",

                "s3:DeleteObject"

            ],

            "Resource": "arn:aws:s3:::lansa-secure/*"

        },

        {

            "Effect": "Deny",

            "Principal": "*",

            "Action": "s3:*",

            "Resource": [

                "arn:aws:s3:::lansa-secure",

                "arn:aws:s3:::lansa-secure/*"

            ],

            "Condition": {

                "StringNotLike": {

                    "aws:userId": [

                        "AROAI4S5N5QLPZ5QHQIJ2:*",

                        "AIDAJFF4TKJHEGHMMDUUQ",

                        "775488040364"

                    ]

                }

            }

        }

    ]

}