{ "Sid": "PrismaCloudStorageStatement", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::123456789101:role/PrismaCloudReadOnlyRoleWithDLP" }, "Action": [ "s3:GetBucketLocation", "s3:GetObject" ], "Resource": [ "arn:aws:s3:::bucket-name", "arn:aws:s3:::bucket-name/*" ]}