Build cross-account resource policies for S3, SQS, SNS, and Lambda.
Last verified: May 2026
Output will appear here...Resource-based policies in AWS attach directly to resources like S3 buckets, SQS queues, SNS topics, and Lambda functions, controlling who can access the resource and under what conditions. Unlike identity-based IAM policies that travel with the principal, resource policies stay with the resource and can grant cross-account access without requiring IAM role assumption. The Resource Policy Builder generates syntactically correct policy documents with proper Principal, Action, Resource, and Condition blocks for the most common cross-account and service-to-service access patterns.
IAM policies attach to users, groups, or roles and define what those principals can do. Resource policies attach to the resource itself and define who can access it. A key difference is that resource policies can grant cross-account access directly — the calling account does not need to assume a role. When both IAM and resource policies apply, AWS evaluates them together: within the same account, the union of permissions applies. For cross-account access, both the caller's IAM policy and the resource policy must allow the action.
Common services include S3 (bucket policies), SQS (queue policies), SNS (topic policies), Lambda (function policies), KMS (key policies), Secrets Manager, ECR, API Gateway, and EventBridge. Each service has slightly different supported condition keys and actions. Not all services support resource policies — for services like EC2 or RDS, you must use IAM roles for cross-account access.
Your team needs to give a partner company read-only access to specific S3 prefixes containing API documentation. The builder generates a bucket policy: Effect Allow, Principal the partner's AWS account ARN, Action s3:GetObject + s3:ListBucket, Resource specific prefixes only, Condition aws:SecureTransport=true. The partner can now access the documentation directly without IAM role assumption complexity, with auditable access logs. Setup time: 10 minutes vs the 1-2 hours of trial-and-error to get the policy syntax right by hand.
The builder constructs resource-based policies as JSON Statement arrays with: Effect, Principal (AWS account, IAM entity, or AWS service), Action (service-specific actions), Resource (resource ARN), and Condition. Templates exist for common patterns: cross-account S3, Lambda invocation by service, KMS key access, SQS for SNS subscription, ECR pull from another account. Output is the policy JSON ready for `aws s3api put-bucket-policy`, `aws lambda add-permission`, etc.
When granting cross-account S3 access via bucket policy, ALSO require the consuming account's IAM policy to allow the action. Some teams skip the IAM side, thinking the bucket policy is sufficient — but cross-account access requires BOTH sides to allow. The result: works fine in some clients (curl), fails in others (CLI uses different default credentials).
S3 bucket policies have a 20 KB size limit. For complex access rules with many principals/conditions, split into multiple bucket policies via S3 Access Points, where each access point has its own 20 KB policy budget.
ALWAYS include `aws:SecureTransport` deny condition (denying non-HTTPS traffic) on resource policies. Most security audit tools flag this missing as a finding. The condition is simple to add and prevents accidental cleartext traffic to your resources.
Was this tool helpful?
Disclaimer: This tool runs entirely in your browser. No data is sent to our servers. Always verify outputs before using them in production. AWS, Azure, and GCP are trademarks of their respective owners.