S3 Bucket Policy Generator

Generate S3 bucket policies from AWS Policy Generator action metadata and export JSON, Terraform, or CloudFormation snippets.

Step 1

Configure bucket defaults

Set the sample bucket name used when adding generated S3 bucket and object resources.

Bucket name

Step 2

Choose S3 actions

Filter on

The action list is scoped to AWS Policy Generator's S3 Bucket Policy actions.

Step 3

Configure bucket policy statements

No S3 actions selected yet.

Search for an S3 action above to start generating a bucket policy.

Generated S3 bucket policy

{
  "Version": "2012-10-17",
  "Statement": []
}

Generated from 168 S3 Bucket Policy actions in AWS Policy Generator and enriched with Amazon S3 Service Authorization Reference metadata. Last updated 2026-05-21.

Need this implemented safely?

Lock down S3 access without breaking applications

We can help turn bucket policies into secure AWS guardrails, S3 access controls, and auditable infrastructure as code with an AWS Security Review or AWS CDK Review.

Explore AWS consulting services

Build S3 bucket policies from AWS action metadata

This generator uses AWS Policy Generator's S3 Bucket Policy action list and enriches it with Amazon S3 Service Authorization Reference metadata so you can build bucket policies with actions, principals, bucket or object resources, and condition keys in one place.

How to use the S3 bucket policy generator

Set the bucket name used for generated sample bucket and object ARNs.
Search for one of the S3 Bucket Policy actions exposed by AWS Policy Generator.
Configure effect, S3 resources, principals, and supported condition keys.
Copy the generated JSON, Terraform, or CloudFormation bucket policy.

S3 bucket policies are resource policies

S3 bucket policies include a Principal element because the policy lives on the bucket and defines who can list, read, write, tag, or manage S3 resources at the bucket boundary.

Need a different policy type? Switch to the IAM policy generator, SNS topic policy generator, SQS queue policy generator, or VPC endpoint policy generator.

Frequently asked questions

Should I use an S3 bucket policy or an IAM identity policy?

Use an IAM identity policy to grant permissions to users, roles, or applications in your account. Use an S3 bucket policy when access must be controlled on the bucket itself, especially for cross-account access, public access exceptions, service integrations, or organization-wide guardrails.

Why does an S3 bucket policy need a Principal?

S3 bucket policies are resource policies. The Principal element identifies who the statement applies to, such as an AWS account, IAM role ARN, federated principal, AWS service principal, or wildcard.

When should I use a bucket ARN versus an object ARN?

Bucket-level actions such as s3:ListBucket usually use arn:aws:s3:::bucket-name. Object-level actions such as s3:GetObject and s3:PutObject usually use arn:aws:s3:::bucket-name/* or a narrower object prefix.

Can S3 bucket policies use service principals?

Yes. Service principals are useful when another AWS service needs access to the bucket. The generator reuses the generated AWS service principal dataset so you can search for entries such as logging.s3.amazonaws.com, cloudtrail.amazonaws.com, or delivery.logs.amazonaws.com.

Can I use wildcard resources in an S3 bucket policy?

You can use *, but S3 bucket policies are usually safer when scoped to explicit bucket or object ARNs. Wildcards are useful for drafts or broad administrative statements, but production policies should normally target the exact bucket and prefix that need access.

Can I use the generated output in Terraform or CloudFormation?

Yes. The JSON output is a standard S3 bucket policy document, the Terraform output includes an aws_iam_policy_document data source with aws_s3_bucket_policy, and the CloudFormation output creates an AWS::S3::BucketPolicy snippet.

Related tools

Amazon VPC Endpoint policy generator

Generate VPC endpoint policies from AWS Policy Generator action metadata and export JSON, Terraform, or CloudFormation snippets.

Amazon SQS Policy Generator

Generate SQS queue policies from AWS Policy Generator action metadata and export JSON, Terraform, or CloudFormation snippets.

Amazon SNS Policy Generator

Generate SNS topic policies from AWS Policy Generator action metadata and export JSON, Terraform, or CloudFormation snippets.

Next step

Want AWS engineering that feels this practical?

I build these tools to make AWS easier to manage. If this level of quality is what you want in your own cloud platform, Towards The Cloud can help with landing zones, infrastructure as code, security reviews, migrations, and cost optimization.

Explore AWS services

← Back to tools