Lowest possible permissions for AWS with Paperclip

I’m trying to set AWS bucket permissions for an S3 bucket that receives Paperclip uploads. My goal is to deny access to any actions that are not absolutely needed (things like deleting a bucket, etc. should not be permitted). Any time I narrow my allowed permissions any narrower than “s3:*” for the bucket (meaning this account can do anything to the bucket), I get access denied 403 errors from AWS.

The Amazon docs site is 404ing on lots of links within their own documentation, so I’m kinda stuck.