AWS
Policy Generator
Build production-ready AWS IAM policies, S3 bucket policies, SNS topic policies, SQS queue policies, and VPC endpoint policies visually — with live JSON output, validation, and analysis.
Add at least one statement then click Generate
| Element | Required | Description |
|---|---|---|
| Version | ✓ Recommended | Policy language version (2012-10-17) |
| Id | Optional | Optional identifier for the policy |
| Statement | ✓ Required | Array of individual permission statements |
| Sid | Optional | Statement identifier (alphanumeric + underscore) |
| Effect | ✓ Required | Allow or Deny |
| Principal | Resource policies | Who the statement applies to |
| Action | ✓ Required | List of AWS service actions (e.g. s3:GetObject) |
| Resource | ✓ Required | ARN(s) the statement applies to |
| Condition | Optional | When the policy takes effect |
| Operator | Use case |
|---|---|
StringEquals | Exact string match |
StringLike | Wildcard string match (*, ?) |
ArnEquals | Exact ARN match |
ArnLike | Wildcard ARN match |
IpAddress | IPv4/CIDR range match |
Bool | Boolean (e.g. aws:MultiFactorAuthPresent) |
DateLessThan | Date/time comparison |
NumericEquals | Integer comparison |
StringNotEquals | Negated string match |
Null | Key presence check |
| Condition Key | Type | Description |
|---|---|---|
aws:RequestedRegion | String | Restrict API calls to specific AWS regions |
aws:SourceIp | IpAddress | Allow / deny based on caller IP address or CIDR |
aws:MultiFactorAuthPresent | Bool | Require MFA authentication to be active |
aws:PrincipalAccount | String | Match the AWS account of the principal making the request |
aws:PrincipalOrgID | String | Restrict to principals within a specific AWS Organization |
aws:CalledVia | String | Restrict to calls made through specific AWS services |
aws:SecureTransport | Bool | Require HTTPS — deny unencrypted HTTP requests |
aws:TagKeys | String | Restrict based on tag key names in the request |
aws:RequestTag/key | String | Match specific tag values in create/tag requests |
s3:prefix | String | Restrict S3 ListBucket to specific key prefixes |
What Is an AWS IAM Policy and How Do You Write One?
An AWS IAM policy is a JSON document that defines which AWS API actions a principal (user, role, or service) is allowed or denied to perform on which resources, and optionally under what conditions. Writing policies by hand is error-prone — this generator gives you a visual UI to build correct, production-safe policies in seconds.
Types of AWS Policies
- Identity-based policies — Attached to IAM users, groups, or roles. Control what that identity can do.
- Resource-based policies — Attached to a resource like an S3 bucket or SQS queue. Control who can access that resource.
- Permissions boundaries — Set the maximum permissions an IAM entity can have, regardless of attached policies.
- Service control policies (SCPs) — Applied at the AWS Organisation level to restrict maximum permissions across accounts.
- Session policies — Passed inline when assuming a role to further restrict that session's permissions.
The Six Policy Elements Explained
Version: Always use 2012-10-17. This unlocks modern IAM features like policy variables (${aws:username}).
Effect: Either Allow or Deny. An explicit Deny always wins over any Allow — across all policies evaluated for a request.
Principal: Specifies who the statement applies to. Required for resource-based policies. Can be an AWS account (arn:aws:iam::123456789012:root), an IAM role, a service (e.g. lambda.amazonaws.com), or a wildcard (*).
Action: A list of AWS API actions in service:Action format, e.g. s3:GetObject, ec2:DescribeInstances. Use * to mean all actions. Use s3:* to mean all S3 actions.
Resource: The ARN(s) the statement applies to. Use * to match all resources. Use wildcards like arn:aws:s3:::my-bucket/* to match all objects inside a bucket.
Condition: Optional constraints using condition keys, operators, and values. Common patterns: require MFA, restrict by IP, require HTTPS, or limit to a specific AWS region.
IAM Policy Evaluation Logic
AWS evaluates all applicable policies in this order: (1) an explicit Deny in any policy immediately denies the request; (2) an explicit Allow grants access; (3) if no Allow is found, the request is implicitly denied. This means the default state is deny everything — permissions must be explicitly granted.
Security Best Practices
- Apply least-privilege — grant only the specific actions and resources needed, never
"Action": "*"with"Resource": "*". - Use conditions to add guardrails — require MFA, restrict to known IP ranges, or require HTTPS.
- Prefer roles over users — attach policies to roles and assume them rather than creating long-lived access keys.
- Use resource-level permissions — specify exact ARNs rather than wildcards wherever possible.
- Add a Deny with
aws:PrincipalOrgIDcondition in S3 bucket policies to prevent access from outside your AWS Organization. - Enable AWS IAM Access Analyzer to automatically detect over-permissive policies in your account.
Frequently Asked Questions
"Principal": "*" means the policy applies to all AWS accounts and services — including unauthenticated public access. Always pair a wildcard Principal with restrictive conditions such as aws:PrincipalOrgID or aws:SourceIp.${aws:username} and ${aws:userid} let you write dynamic policies that resolve to the caller's identity at evaluation time. They require policy version 2012-10-17.More Free Online Tools
Simple tools. Surgical fixes. Zero friction.
Amazon Connect CCP Log Parser
Parse Amazon Connect CCP logs into structured, searchable diagnostics.
OpenAmazon Connect Agent Workstation Validator
Pre-flight check for Amazon Connect softphone agents.
OpenAmazon Connect Pricing Calculator
Instantly estimate monthly AWS Connect costs — voice, chat, email, campaigns, telephony & more.
OpenConnect CloudWatch Log Analyzer
Drop any Amazon Connect CloudWatch log and get a rich visual breakdown.
Open