DevToolbox

AWS IAM Policy Generator

Build AWS IAM policy JSON documents visually. Select services, actions, resources, and conditions to generate valid IAM policies.

About This Tool

The AWS IAM Policy Generator is a free browser-based tool that helps you create AWS Identity and Access Management (IAM) policy JSON documents through a visual form interface. Instead of manually writing JSON, you can select the Effect (Allow/Deny), choose an AWS service (S3, EC2, Lambda, DynamoDB, and 20+ more), pick specific actions from a searchable list, define resource ARNs, and add conditions — all from an intuitive visual builder.

The tool supports multiple policy statements, letting you build complex policies with different service permissions in a single document. Common policy templates are included for quick starts: S3 read-only, Lambda invoke, DynamoDB CRUD, CloudWatch Logs writer, KMS encrypt/decrypt, and more. The generated JSON updates in real time with syntax highlighting, making it easy to review before copying to the AWS Console or your infrastructure-as-code templates.

If you need to parse ARNs from existing policies, try the JSON Formatter to validate and beautify the JSON. For working with CloudFormation or Terraform templates that use YAML, the YAML Formatter can help you maintain clean configuration files.

All processing runs entirely in your browser. No policy data, ARNs, or account information is ever sent to any server. This makes the tool safe to use with real AWS account IDs, production resource ARNs, and sensitive infrastructure details.

How to Use

  1. Choose a policy template to start with a common pattern, or build from scratch by clicking Add Statement.
  2. For each statement, select the Effect (Allow or Deny) and the AWS Service (S3, Lambda, DynamoDB, etc.).
  3. Pick specific Actions from the searchable checklist, or leave empty for all actions (service:*).
  4. Enter one or more Resource ARNs (e.g., arn:aws:s3:::my-bucket/*). Use * for all resources.
  5. Optionally add Conditions by selecting an operator (StringEquals, IpAddress, etc.), a condition key, and a value.
  6. Review the generated IAM Policy JSON in the right panel with real-time syntax highlighting.
  7. Click Copy or press Ctrl+Shift+C to copy the policy to your clipboard, or click Download to save as a .json file.

Popular IAM Policy Examples

View all IAM policy examples →

FAQ

What AWS services are supported?

The tool supports 25+ AWS services including S3, EC2, Lambda, DynamoDB, IAM, SQS, SNS, CloudWatch, CloudFormation, ECS, EKS, RDS, KMS, Secrets Manager, STS, CloudWatch Logs, Systems Manager, Route 53, ELB, API Gateway, ECR, CodeBuild, CodePipeline, Glue, Athena, Step Functions, and Kinesis. Each service has a curated list of common actions.

Can I add multiple statements to a single policy?

Yes. Click the 'Add Statement' button to add additional statements. Each statement can target a different service with different actions, resources, and conditions. The generated JSON includes all statements in the Statement array.

How do I specify resource ARNs?

Enter the full ARN in the Resource field (e.g., arn:aws:s3:::my-bucket/*). You can add multiple resources per statement by clicking '+ Add'. Use '*' to match all resources. ARN patterns with wildcards are supported.

What are policy conditions and when should I use them?

Conditions add extra restrictions to policy statements. Common examples include restricting by IP address (aws:SourceIp), requiring MFA (aws:MultiFactorAuthPresent), or limiting to a specific region (aws:RequestedRegion). The tool supports all standard condition operators like StringEquals, IpAddress, Bool, ArnLike, and more.

Are the policy templates production-ready?

The templates provide a solid starting point but you should customize the resource ARNs, account IDs, and region values to match your actual AWS environment. Always follow the principle of least privilege — grant only the permissions needed for the specific use case.

Is my data safe?

Yes. All policy generation runs entirely in your browser using JavaScript. No data — including ARNs, account IDs, or policy content — is ever sent to any server. You can verify this by checking the Network tab in your browser's developer tools.

Can I use this with CloudFormation or Terraform?

Yes. The generated JSON is valid IAM policy syntax that works directly in AWS CloudFormation PolicyDocument properties, Terraform aws_iam_policy resources, CDK Policy constructs, and the AWS Console policy editor. Simply copy the JSON output and paste it into your infrastructure-as-code template.

Related Tools

AWS ARN Parser

Parse AWS ARN strings into partition, service, region, account ID, and resource components. Build ARNs from parts.

AWS CLI Command Builder

Build AWS CLI commands visually. Select service, operation, fill in parameters, and generate ready-to-use aws commands with syntax highlighting.

JSON Formatter

Format, validate, and beautify JSON with syntax highlighting and tree view.

YAML Formatter

Format, validate, and minify YAML with customizable indentation and syntax error display.

AWS S3 URL Parser

Parse AWS S3 URLs into bucket, key, region, and URL style. Build S3 URLs from components. Supports virtual-hosted, path-style, s3://, and ARN formats.