Visual builder for S3 bucket policies with principal, action, and condition support.
Last verified: April 2026
Output will appear here...The builder collects statement parameters through a form interface: Effect (Allow/Deny), Principal (AWS accounts, IAM entities, or services), Action (S3 API operations), Resource (bucket and object ARN patterns), and optional Conditions. It assembles these into a valid IAM policy document JSON with proper Version, Statement array structure, and ARN formatting, then validates the output against common mistakes.
The S3 Bucket Policy Builder provides a guided interface for constructing S3 bucket policies with proper principal, action, resource, and condition support. S3 bucket policies use the same IAM policy language but apply at the bucket level, and getting the JSON syntax right with the correct ARN patterns and condition keys can be error-prone. This tool walks you through each policy statement, validates your inputs, and generates correctly formatted JSON that you can apply directly to your S3 bucket.
Your CloudFront distribution needs to serve files from a private S3 bucket using Origin Access Control. You use the builder to create a policy that allows the s3:GetObject action for the CloudFront service principal with a condition key restricting access to your specific distribution ID. The builder correctly formats the principal as "Service": "cloudfront.amazonaws.com" and generates the aws:SourceArn condition, saving you from the common mistake of using the old OAI format.
The Principal field format is the most common source of bucket policy errors. Use "AWS": "arn:aws:iam::123456789012:root" for account-level access, "AWS": "arn:aws:iam::123456789012:role/RoleName" for role-level, and "Service": "s3.amazonaws.com" for service principals. Using just the account number without the ARN prefix silently fails.
Condition keys are your best defense against overly permissive policies. Always add aws:SecureTransport to deny non-HTTPS requests, and use s3:x-amz-server-side-encryption to enforce encryption at upload time. These two conditions cover the most common S3 security audit findings.
S3 bucket policies have a 20 KB size limit. If you need complex access rules for many principals, use S3 Access Points instead. Each access point gets its own policy with its own 20 KB limit, effectively giving you unlimited policy space across multiple access points on a single bucket.
IAM policies are attached to users, groups, or roles and control what actions those identities can perform. S3 bucket policies are attached to the bucket itself and control who can access that bucket. Both can grant or deny access; the effective permissions are the union of both, subject to explicit denies.
Yes, you can build a policy that explicitly denies access from principals outside your AWS account. However, for comprehensive public access prevention, you should also enable S3 Block Public Access settings at the bucket or account level.
The builder focuses on standard bucket policies. S3 Access Points use a similar policy syntax but with different ARN formats. You can adapt the generated policy for access points by modifying the resource ARN.
Was this tool helpful?
Disclaimer: This tool runs entirely in your browser. No data is sent to our servers. Always verify outputs before using them in production. AWS, Azure, and GCP are trademarks of their respective owners.