Add section on required IAM permissions.

cf.: https://github.com/ncw/rclone/issues/1455

docs/content/s3.md

@@ -245,6 +245,52 @@ credentials. In order of precedence:
 If none of these option actually end up providing `rclone` with AWS
 credentials then S3 interaction will be non-authenticated (see below).
 
+### S3 Permissions ###
+
+When using the `sync` subcommand of `rclone` the following minimum 
+permissions are required to be available on the bucket being written to:
+
+* `ListBucket`
+* `DeleteObject`
+* `PutObject`
+* `PutObjectACL`
+
+Example policy:
+
+```
+{
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+            "Effect": "Allow",
+            "Principal": {
+                "AWS": "arn:aws:iam::USER_SID:user/USER_NAME"
+            },
+            "Action": [
+                "s3:ListBucket",
+                "s3:DeleteObject",
+                "s3:PutObject",
+                "s3:PutObjectAcl"
+            ],
+            "Resource": [
+              "arn:aws:s3:::BUCKET_NAME/*",
+              "arn:aws:s3:::BUCKET_NAME"
+            ]
+        }
+    ]
+}
+```
+
+Notes on above:
+
+1. This is a policy that can be used when creating bucket. It assumes
+   that `USER_NAME` has been created.
+2. The Resource entry must include both resource ARNs, as one implies 
+   the bucket and the other implies the bucket's objects.
+
+For reference, [here's an Ansible script](https://gist.github.com/ebridges/ebfc9042dd7c756cd101cfa807b7ae2b) 
+that will generate one or more buckets that will work with `rclone sync`.
+
 ### Specific options ###
 
 Here are the command line options specific to this cloud storage