docs(s3.md): add example Policy to allow access to S3 & SQS (#852)

* docs(s3.md): add example Policy to allow access to S3 & SQS

* Update crowdsec-docs/docs/log_processor/data_sources/s3.md: only need s3

* Update crowdsec-docs/docs/log_processor/data_sources/s3.md: more precise permissions

* Update crowdsec-docs/docs/log_processor/data_sources/s3.md: SQS precise premissions

Author: arthurzenika

crowdsec-docs/docs/log_processor/data_sources/s3.md

@@ -134,3 +134,40 @@ crowdsec -type syslog -dsn s3://my_bucket/my_prefix/foo.log?log_level=debug
 ```
 
 AWS SDK behaviour can be configured with the standard AWS environment variables.
+
+
+## IAM Permissions
+
+Because the component needs to interact with AWS resources, it need the proper permissions.
+
+Here is the set of required permissions:
+```json
+{
+    "Statement": [
+        {
+            "Action": [
+                "sqs:ReceiveMessage",
+                "sqs:DeleteMessage",
+                "sqs:GetQueueAttributes",
+                "sqs:GetQueueUrl",
+                "sqs:ListDeadLetterSourceQueues",
+                "sqs:ListQueues"
+            ],
+            "Effect": "Allow",
+            "Resource": "arn:aws:sqs:::test-sqs-s3-acquis"
+        },
+        {
+            "Effect": "Allow",
+            "Action": [
+                "s3:DescribeJob",
+                "s3:Get*",
+                "s3:List*"
+            ],
+            "Resource": "arn:aws:s3:::my_bucket:*"
+        }
+    ],
+    "Version": "2012-10-17"
+}
+```
+
+For the permissions, we recommend to restrict the S3 permissions to read only operations, to avoid the ability to destroy logs from the CrowdSec agent. If you are using S3 polling, the SQS part of the permissions can be omitted.