S3 Bucket Policy Generator for AWS
Use our free S3 bucket policy generator to build a valid Amazon S3 policy in minutes. Whether you need an AWS S3 policy generator to restrict access to a single bucket or a full bucket policy generator for a multi-account setup, this AWS bucket policy generator produces properly formatted JSON you can attach directly to your bucket. For background on how bucket policies work, see the AWS S3 bucket policy documentation.
Learn how to grant another AWS account access to your bucket — step-by-step, with a ready-to-use policy and CLI/PowerShell verification commands.
Generate a policy, then export it as Terraform, OpenTofu, CloudFormation, AWS CDK, or Pulumi.
Policy Validation Tool
Configure your policy settings and click "Generate Policy" to see the result here, or validate an existing policy using one of the options below.
Why use this S3 policy generator?
Built for S3 bucket policies specifically
Choose actions and bucket or object ARNs, and get a ready-to-use S3 bucket policy document — no manual JSON editing required.
Works as a bucket policy generator for any case
Combine multiple actions, resources, and conditions to model public access, cross-account access, or tightly scoped bucket permissions.
Validate existing bucket policies
Paste or import an existing S3 policy to check its syntax and review it against AWS security best practices.
Free AWS S3 policy generator
No account, no signup, and no cost. Generate and export as many S3 bucket policies as you need.
What is an S3 bucket policy?
An S3 bucket policy is a JSON document attached directly to an Amazon S3 bucket that defines what actions are allowed or denied on that bucket and its objects, for which principals, and under which conditions. It's a resource-based policy, so it works alongside — not instead of — IAM policies attached to your users and roles.
Writing bucket policies by hand is error-prone: a single mistake in a resource ARN or principal can accidentally expose a bucket publicly, or block access you intended to allow. An S3 policy generator removes that risk by assembling the JSON for you from a guided set of choices.
This tool works as an AWS policy generator for S3 for common use cases — restricting access by IP, enforcing HTTPS, granting cross-account access, or allowing public read access to specific objects — and as a general-purpose bucket policy creator when you need to hand-tune actions, resources, and conditions.
Cross-Account Access S3 Bucket Policy
A common use for an S3 bucket policy is granting another AWS account access to your bucket without creating IAM users in your own account. The walkthrough below shows how Account A (the bucket owner) can grant Account B permission to list a bucket and read its lifecycle configuration — the same pattern applies to any other combination of S3 actions.
Step 1.1: Sign in to the AWS Management Console
Using the IAM user sign-in URL for Account A, sign in to the AWS Management Console as the AccountAadmin user. This user will create the bucket and attach a policy to it.
Step 1.2: Create a bucket
In the Amazon S3 console, create a bucket. This example assumes the bucket is created in the US East (N. Virginia) AWS Region and is named amzn-s3-demo-bucket. For instructions, see Creating a general purpose bucket.
Then upload a sample object to the bucket. For instructions, see Uploading an object to your bucket.
Step 1.3: Attach a bucket policy to grant cross-account permissions to Account B
The bucket policy below grants the s3:GetLifecycleConfiguration and s3:ListBucket permissions to Account B. It's assumed that you're still signed in to the console as the AccountAadmin user.
Attach the following bucket policy to amzn-s3-demo-bucket. Replace 111122223333 with Account B's actual account ID. For instructions, see Adding a bucket policy using the Amazon S3 console.
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "Example permissions",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::111122223333:root"
},
"Action": [
"s3:GetLifecycleConfiguration",
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::amzn-s3-demo-bucket"
]
}
]
}Want to build a policy like this without writing the JSON by hand? Set the resources above to your bucket ARN, add the GetLifecycleConfiguration and ListBucket actions, and add a condition or edit the generated Principal in the generator above.
Verify the cross-account access
Once the policy is attached, verify that Account B (and its administrator user) can perform the allowed operations.
Verify using the AWS CLI
aws s3 ls s3://amzn-s3-demo-bucket --profile AccountBadmin aws s3api get-bucket-lifecycle-configuration --bucket amzn-s3-demo-bucket --profile AccountBadmin
Verify using the AWS Tools for Windows PowerShell
Get-S3Object -BucketName amzn-s3-demo-bucket -StoredCredentials AccountBadmin Get-S3BucketLifecycleConfiguration -BucketName amzn-s3-demo-bucket -StoredCredentials AccountBadmin
For the full walkthrough, including setting up Account B's IAM permissions, see Example walkthrough: Cross-account bucket permissions in the AWS documentation.
Frequently Asked Questions
What does an S3 bucket policy generator do?
An S3 bucket policy generator turns a set of choices — actions, bucket or object resources, and conditions — into a valid Amazon S3 bucket policy JSON document, so you don't have to write the syntax by hand.
Is this AWS S3 policy generator free to use?
Yes. This bucket policy generator is completely free, requires no signup, and runs entirely in your browser — your policies are never sent to a server.
What's the difference between an S3 bucket policy and an IAM policy?
An S3 bucket policy is attached to the bucket itself and controls who can access it. An IAM policy is attached to a user, group, or role and controls what that identity can do. Access is granted only when both allow it. If you need an IAM policy instead, use our IAM Policy Generator.
How do I grant cross-account access to an S3 bucket?
Attach a bucket policy that sets the Principal to the other account's ARN (e.g. arn:aws:iam::111122223333:root) and lists the actions you want to allow, such as s3:GetLifecycleConfiguration and s3:ListBucket. See the cross-account access walkthrough above for the full example and verification steps.
Can I use this as a general AWS bucket policy generator?
Yes. You can add multiple actions, resources, and conditions to a single bucket policy, covering common patterns like public read access, HTTPS-only access, or cross-account access, then export the resulting JSON document.