IAM Policy for a Multi-Service Application Role

Q: IAM Policy for a Multi-Service Application Role

## Multi-Service Application Role Real applications rarely need just one AWS service. A typical serverless backend might read/write to DynamoDB, upload files to S3, send messages to SQS, read secrets, and write logs. This policy combines multiple service permissions into a single role policy. ### Policy JSON json { "Version": "2012-10-17", "Statement": [ { "Sid": "DynamoDBAccess", "Effect": "Allow", "Action": [ "dynamodb:GetItem", "dynamodb:PutItem",

Create a comprehensive IAM policy for a typical serverless application accessing S3, DynamoDB, SQS, Secrets Manager, and CloudWatch Logs.

Advanced Patterns

Detailed Explanation

Multi-Service Application Role

Real applications rarely need just one AWS service. A typical serverless backend might read/write to DynamoDB, upload files to S3, send messages to SQS, read secrets, and write logs. This policy combines multiple service permissions into a single role policy.

Policy JSON

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "DynamoDBAccess",
      "Effect": "Allow",
      "Action": [
        "dynamodb:GetItem",
        "dynamodb:PutItem",
        "dynamodb:UpdateItem",
        "dynamodb:DeleteItem",
        "dynamodb:Query"
      ],
      "Resource": [
        "arn:aws:dynamodb:us-east-1:123456789012:table/users",
        "arn:aws:dynamodb:us-east-1:123456789012:table/users/index/*",
        "arn:aws:dynamodb:us-east-1:123456789012:table/orders",
        "arn:aws:dynamodb:us-east-1:123456789012:table/orders/index/*"
      ]
    },
    {
      "Sid": "S3ObjectAccess",
      "Effect": "Allow",
      "Action": [
        "s3:GetObject",
        "s3:PutObject",
        "s3:DeleteObject"
      ],
      "Resource": "arn:aws:s3:::myapp-uploads/*"
    },
    {
      "Sid": "SQSSendMessages",
      "Effect": "Allow",
      "Action": [
        "sqs:SendMessage",
        "sqs:GetQueueUrl"
      ],
      "Resource": "arn:aws:sqs:us-east-1:123456789012:myapp-processing-queue"
    },
    {
      "Sid": "SecretsRead",
      "Effect": "Allow",
      "Action": "secretsmanager:GetSecretValue",
      "Resource": "arn:aws:secretsmanager:us-east-1:123456789012:secret:myapp/*"
    },
    {
      "Sid": "CloudWatchLogs",
      "Effect": "Allow",
      "Action": [
        "logs:CreateLogGroup",
        "logs:CreateLogStream",
        "logs:PutLogEvents"
      ],
      "Resource": "arn:aws:logs:us-east-1:123456789012:log-group:/aws/lambda/myapp-*:*"
    }
  ]
}

Design Principles

One Sid per service — makes it easy to audit which services are accessed.
Specific resource ARNs — no "*" wildcards except where AWS requires it.
Minimal actions — only the operations the application actually uses.
No management actions — no Create, Delete, or Describe for the infrastructure itself.

Policy Size Limits

IAM inline policies can be up to 2,048 characters (for users) or 10,240 characters (for roles). Managed policies can be up to 6,144 characters. If your policy exceeds these limits, split it into multiple managed policies attached to the same role.

Use Case

Serverless backends (Lambda + API Gateway), containerized microservices (ECS/EKS), and any application that interacts with multiple AWS services in a single execution context.

Try It — AWS IAM Policy Generator

Open full tool →