IAM Policy Generator for S3 Bucket Access

Generate secure AWS IAM policies for granting access to S3 buckets. Perfect for data pipelines, analytics workloads, and following AWS security best practices.

Bucket Configuration

S3 Bucket Name

The name of your S3 bucket (e.g., my-company-data-lake)

Please enter a valid S3 bucket name (3-63 lowercase letters, numbers, hyphens, or periods)

AWS Account ID (Optional)

12-digit AWS account ID for cross-account access

Account ID must be exactly 12 digits

Object Prefix (Optional)

Limit access to objects with this prefix (e.g., "data/raw/" for a specific folder)

Permission Level

Quick presets for common use cases:

GetObject Read objects

PutObject Upload objects

DeleteObject Remove objects

ListBucket List bucket contents

GetObjectAttributes Read object metadata

GetObjectAcl Read object ACLs

PutObjectAcl Modify object ACLs

AbortMultipartUpload Cancel uploads

Policy Statement ID (SID)

Optional identifier for this policy statement (alphanumeric only)

Add IP Address Condition Restrict access to specific IP ranges

Allowed IP Range (CIDR)

CIDR notation (e.g., 192.168.1.0/24 or 10.0.0.0/8)

Generated IAM Policy

How to Use

Enter your bucket name: Provide the name of the S3 bucket you want to grant access to.
Add account ID (optional): Include your 12-digit AWS account ID for more specific resource ARNs.
Specify a prefix (optional): Limit access to objects within a specific path/folder.
Choose permissions: Use a preset or select individual permissions based on your needs.
Generate: Click "Generate IAM Policy" to create your policy JSON.
Copy and use: Copy the policy and attach it to an IAM user, role, or group in AWS.

About This Tool

This IAM Policy Generator helps data engineers, developers, and cloud architects create secure AWS IAM policies for S3 bucket access. It follows AWS security best practices by:

Principle of least privilege: Only grants the permissions you select.
Resource scoping: Policies are scoped to specific buckets and optional prefixes.
Clear structure: Generated policies use the latest IAM policy version and proper formatting.

Permission Presets Explained

Read Only: GetObject, ListBucket, GetObjectAttributes - for data consumers and analytics.
Write Only: PutObject, AbortMultipartUpload - for data producers and ETL jobs writing data.
Read & Write: Combines read and write permissions - for most data pipeline use cases.
Full Access: All available permissions including delete and ACL management.
Custom: Select exactly the permissions you need.

Common Use Cases

Data Lake Access: Grant read-only access to specific prefixes for analytics teams.
ETL Pipelines: Read/write access to source and destination buckets.
Backup Jobs: Write-only access for services that push backups to S3.
Cross-Account Sharing: Specify account ID to enable access from other AWS accounts.

Privacy: This tool runs entirely in your browser. No data is sent to any server. Your bucket names, account IDs, and generated policies never leave your device.