AWS IAM Policy Generator

Generate AWS IAM policies from searchable action metadata and export ready-to-use JSON, Terraform, or CloudFormation snippets.

Step 1

Configure defaults

Set the policy mode and ARN defaults before choosing actions. These values seed generated resources and principals for new action cards.

Policy typePartitionRegionAccount ID

Step 2

Choose the actions

Filter on

Tip: use asterisks to match anything and commas to filter multiple values at once.

Step 3

Configure actions

No actions selected yet.

Search for a service or IAM action above to start generating a policy.

Generated policy

{
  "Version": "2012-10-17",
  "Statement": []
}

Generated from 20,942 IAM actions across 468 AWS services. Last updated 2026-05-19.

Need this implemented safely?

Ship least-privilege AWS access with confidence

Building the policy is the easy part. We can help turn it into secure AWS guardrails, roles, and infrastructure as code with an AWS Security Review, a CDK-based AWS Landing Zone, or an AWS CDK Review.

Explore AWS consulting services

Build IAM policies from AWS action metadata

This generator uses AWS IAM action metadata to help you find actions, pick resources and condition keys, and turn the result into policy documents you can paste into AWS, Terraform, or CloudFormation.

How to use the IAM policy generator

Search for an AWS service, service prefix, or action name.
Filter actions by access level when you only want list, read, write, permission, or tagging actions.
Choose whether you are building an identity policy or a resource/trust policy.
Configure resources, condition keys, and principals for the selected actions.
Copy the generated JSON, Terraform, or CloudFormation policy document.

Identity policies vs resource policies

IAM identity policies attach to users, groups, or roles and do not contain a Principal element. Resource-based policies and trust policies include principals because they define who can access or assume the target resource. The generator hides or shows principal controls based on the selected policy type.

Least-privilege policy workflow

Start with the smallest set of actions you know you need, replace wildcard resources with specific ARNs when the service supports them, then add conditions for tags, organization IDs, source accounts, or other context keys where they fit your access model.

Related tools

Amazon Resource Names (ARNs) Reference

Search AWS service prefixes and Amazon Resource Name formats for IAM policies and resource references.

AWS IAM Service Principals Reference

Search the complete AWS service principal reference for IAM trust policies, resource policies, and service-linked role setup.

CloudFormation Resource Attributes Reference

Search AWS CloudFormation resource types and the attributes available through Fn::GetAtt for each resource.

Next step

Want AWS engineering that feels this practical?

I build these tools to make AWS easier to manage. If this level of quality is what you want in your own cloud platform, Towards The Cloud can help with landing zones, infrastructure as code, security reviews, migrations, and cost optimization.

Explore AWS services

← Back to tools