AWS IAM Policy Generator

Generate AWS IAM policies from searchable action metadata and export ready-to-use JSON, Terraform, or CloudFormation snippets.

Step 1

Configure defaults

Set the policy mode and ARN defaults before choosing actions. These values seed generated resources and principals for new action cards.

Policy typePartitionRegionAccount ID

Step 2

Choose the actions

Filter on

Tip: use asterisks to match anything and commas to filter multiple values at once.

Step 3

Configure actions

No actions selected yet.

Search for a service or IAM action above to start generating a policy.

Generated policy

{
  "Version": "2012-10-17",
  "Statement": []
}

Generated from 20,843 IAM actions across 449 AWS services. Last updated 2026-05-23.

Need this implemented safely?

Ship least-privilege AWS access with confidence

Building the policy is the easy part. We can help turn it into secure AWS guardrails, roles, and infrastructure as code with an AWS Security Review, a CDK-based AWS Landing Zone, or an AWS CDK Review.

Explore AWS consulting services

Build IAM policies from AWS action metadata

This generator uses AWS IAM action metadata to help you find actions, pick resources and condition keys, and turn the result into policy documents you can paste into AWS, Terraform, or CloudFormation.

How to use the IAM policy generator

Search for an AWS service, service prefix, or action name.
Filter actions by access level when you only want list, read, write, permission, or tagging actions.
Choose whether you are building an identity policy or a resource/trust policy.
Configure resources, condition keys, and principals for the selected actions.
Copy the generated JSON, Terraform, or CloudFormation policy document.

Identity policies vs resource policies

IAM identity policies attach to users, groups, or roles and do not contain a Principal element. Resource-based policies and trust policies include principals because they define who can access or assume the target resource. The generator hides or shows principal controls based on the selected policy type.

Least-privilege policy workflow

Start with the smallest set of actions you know you need, replace wildcard resources with specific ARNs when the service supports them, then add conditions for tags, organization IDs, source accounts, or other context keys where they fit your access model.

Need a service-specific resource policy? Switch to the S3 bucket policy generator, SNS topic policy generator, SQS queue policy generator, or VPC endpoint policy generator.

Already have policy JSON? Use the AWS IAM policy validator to test it for syntax and security findings, the IAM policy tester to check expected allow and deny decisions, or the IAM policy converter to turn reviewed JSON into Terraform, CloudFormation, or CDK snippets.

Frequently asked questions

Should I create an IAM identity policy or a resource policy?

Use an identity policy when permissions should attach to a user, group, or role. Use a resource policy when the permission belongs on the resource itself, such as a trust policy, bucket policy, key policy, or topic policy that needs explicit principals.

Why do IAM identity policies omit Principal?

Identity policies already inherit their principal from the identity they are attached to. Resource-based policies and trust policies need a Principal element because the policy document itself defines who can use the resource or assume the role.

When should I use service principals?

Use a service principal when an AWS service needs to assume a role or access a resource, such as lambda.amazonaws.com, events.amazonaws.com, or cloudtrail.amazonaws.com. The generator uses the shared AWS service principal dataset so you can search instead of typing values from memory.

Can I use wildcard actions or resources in an IAM policy?

Wildcards are valid IAM syntax, but they should be a deliberate exception. Prefer specific actions and resource ARNs when the service supports them, then use conditions to narrow access further.

Which condition keys should I add to IAM policies?

Start with the condition keys AWS documents for the selected action and resource type. Common hardening keys include organization ID, source account, source ARN, requested region, resource tags, and principal tags, depending on the service and access pattern.

Can I use the generated IAM policy in Terraform or CloudFormation?

Yes. The JSON output is a standard IAM policy document, the Terraform output uses aws_iam_policy_document, and the CloudFormation output creates policy document snippets that can be attached to IAM resources.

Related tools

Want AWS engineering that feels this practical?

I build these tools to make AWS easier to manage. If this level of quality is what you want in your own cloud platform, Towards The Cloud can help with landing zones, infrastructure as code, security reviews, migrations, and cost optimization.

Explore AWS services

← Back to tools