I needed this for a scenario where the client could not authenticate to S3 but still needed to be able to download files from the S3. So I created this policy which allows all files to be downloaded but restricts access to the download action (s3:GetObject) by source IP. Since