An S3 bucket policy is an object that allows you to manage access to specific buckets. They are structured with JSON-based access policy language. 

To start with, set up s3cmd, if you haven't done so already. Here's an article to help you with that: Object storage: How to use s3cmd and s3fs

To enforce a policy located in a JSON file called policy.json upon a bucket called mybucket, we run the command:

s3cmd setpolicy policy.json s3://mybucket 

Sample scenarios

Grant any user read-access to the bucket:

{
  "Version": "2012-10-17",
  "Id": "policy-read-any",
  "Statement": [
    {
      "Sid": "read-any",
      "Effect": "Allow",
      "Principal": {
        "AWS": [
		   "*"
		]
      },
      "Action": [
        "s3:ListBucket",
        "s3:GetObject"
      ],
      "Resource": [
        "arn:aws:s3:::*"
      ]
    }
  ]
}

Grant any user read and write access to the bucket: 

{
  "Version": "2012-10-17",
  "Id": "policy-read-any",
  "Statement": [
    {
      "Sid": "read-write-any",
      "Effect": "Allow",
      "Principal": {
        "AWS": [
		   "*"
		]
      },
      "Action": [
        "s3:ListBucket",
        "s3:GetObject",
		"s3:PutObject"
      ],
      "Resource": [
        "arn:aws:s3:::*"
      ]
    }
  ]
}

Put up IP restrictions to read and write to a bucket: 

 {
       "Sid": "AllowIP",
       "Effect": "Deny",
       "Principal": {
         "AWS": ["*"]
       },
       "Action": [
         "s3:ListBucket",
         "s3:GetObject",
		 "s3:PutObject"
       ],
       "Resource": [
         "arn:aws:s3:::*"
       ],
       "Condition": {
           "IpAddress": {
               "aws:SourceIp": ["IP-ADDRESS/23"]
           }
      }
}

Grant access to specific project credentials

{
    "Version": "2012-10-17",
    "Id": "S3PolicySomeROSomeRW",
    "Statement": [
      {
          "Sid": "",
          "Effect": "Allow",
          "Principal": {
              "AWS": "arn:aws:iam::<PROJECT_ID>:root"
          },
          "Action": [
            "s3:ListBucket",
            "s3:GetObject",
            "s3:PutObject"
          ],
          "Resource": [
            "arn:aws:s3:::*"
          ]
      },
      {
          "Sid": "",
          "Effect": "Allow",
          "Principal": {
              "AWS": "arn:aws:iam::<PROJECT_ID>:root"
          },
          "Action": [
            "s3:ListBucket",
            "s3:GetObject"
          ],
          "Resource": [
            "arn:aws:s3:::*"
          ]
      }
    ]
}