S3 Bucket Policy Generator for AWS

Use our free S3 bucket policy generator to build a valid Amazon S3 policy in minutes. Whether you need an AWS S3 policy generator to restrict access to a single bucket or a full bucket policy generator for a multi-account setup, this AWS bucket policy generator produces properly formatted JSON you can attach directly to your bucket. For background on how bucket policies work, see the AWS S3 bucket policy documentation.

Cross-Account Access S3 Bucket Policy AddedNew!

Learn how to grant another AWS account access to your bucket — step-by-step, with a ready-to-use policy and CLI/PowerShell verification commands.

Policy Settings
Amazon S3Storage
*
Policy Checker & Validator
Import a JSON file or paste policy content to validate syntax and check for best practices
Infrastructure as CodeNEW

Generate a policy, then export it as Terraform, OpenTofu, CloudFormation, AWS CDK, or Pulumi.

Policy Validation Tool

Configure your policy settings and click "Generate Policy" to see the result here, or validate an existing policy using one of the options below.

Why use this S3 policy generator?

Built for S3 bucket policies specifically

Choose actions and bucket or object ARNs, and get a ready-to-use S3 bucket policy document — no manual JSON editing required.

Works as a bucket policy generator for any case

Combine multiple actions, resources, and conditions to model public access, cross-account access, or tightly scoped bucket permissions.

Validate existing bucket policies

Paste or import an existing S3 policy to check its syntax and review it against AWS security best practices.

Free AWS S3 policy generator

No account, no signup, and no cost. Generate and export as many S3 bucket policies as you need.

What is an S3 bucket policy?

An S3 bucket policy is a JSON document attached directly to an Amazon S3 bucket that defines what actions are allowed or denied on that bucket and its objects, for which principals, and under which conditions. It's a resource-based policy, so it works alongside — not instead of — IAM policies attached to your users and roles.

Writing bucket policies by hand is error-prone: a single mistake in a resource ARN or principal can accidentally expose a bucket publicly, or block access you intended to allow. An S3 policy generator removes that risk by assembling the JSON for you from a guided set of choices.

This tool works as an AWS policy generator for S3 for common use cases — restricting access by IP, enforcing HTTPS, granting cross-account access, or allowing public read access to specific objects — and as a general-purpose bucket policy creator when you need to hand-tune actions, resources, and conditions.

Cross-Account Access S3 Bucket Policy

A common use for an S3 bucket policy is granting another AWS account access to your bucket without creating IAM users in your own account. The walkthrough below shows how Account A (the bucket owner) can grant Account B permission to list a bucket and read its lifecycle configuration — the same pattern applies to any other combination of S3 actions.

Step 1.1: Sign in to the AWS Management Console

Using the IAM user sign-in URL for Account A, sign in to the AWS Management Console as the AccountAadmin user. This user will create the bucket and attach a policy to it.

Step 1.2: Create a bucket

In the Amazon S3 console, create a bucket. This example assumes the bucket is created in the US East (N. Virginia) AWS Region and is named amzn-s3-demo-bucket. For instructions, see Creating a general purpose bucket.

Then upload a sample object to the bucket. For instructions, see Uploading an object to your bucket.

Step 1.3: Attach a bucket policy to grant cross-account permissions to Account B

The bucket policy below grants the s3:GetLifecycleConfiguration and s3:ListBucket permissions to Account B. It's assumed that you're still signed in to the console as the AccountAadmin user.

Attach the following bucket policy to amzn-s3-demo-bucket. Replace 111122223333 with Account B's actual account ID. For instructions, see Adding a bucket policy using the Amazon S3 console.

{
   "Version":"2012-10-17",
   "Statement": [
      {
         "Sid": "Example permissions",
         "Effect": "Allow",
         "Principal": {
            "AWS": "arn:aws:iam::111122223333:root"
         },
         "Action": [
            "s3:GetLifecycleConfiguration",
            "s3:ListBucket"
         ],
         "Resource": [
            "arn:aws:s3:::amzn-s3-demo-bucket"
         ]
      }
   ]
}

Want to build a policy like this without writing the JSON by hand? Set the resources above to your bucket ARN, add the GetLifecycleConfiguration and ListBucket actions, and add a condition or edit the generated Principal in the generator above.

Verify the cross-account access

Once the policy is attached, verify that Account B (and its administrator user) can perform the allowed operations.

Verify using the AWS CLI

aws s3 ls s3://amzn-s3-demo-bucket --profile AccountBadmin
aws s3api get-bucket-lifecycle-configuration --bucket amzn-s3-demo-bucket --profile AccountBadmin

Verify using the AWS Tools for Windows PowerShell

Get-S3Object -BucketName amzn-s3-demo-bucket -StoredCredentials AccountBadmin
Get-S3BucketLifecycleConfiguration -BucketName amzn-s3-demo-bucket -StoredCredentials AccountBadmin

For the full walkthrough, including setting up Account B's IAM permissions, see Example walkthrough: Cross-account bucket permissions in the AWS documentation.

Frequently Asked Questions

What does an S3 bucket policy generator do?

An S3 bucket policy generator turns a set of choices — actions, bucket or object resources, and conditions — into a valid Amazon S3 bucket policy JSON document, so you don't have to write the syntax by hand.

Is this AWS S3 policy generator free to use?

Yes. This bucket policy generator is completely free, requires no signup, and runs entirely in your browser — your policies are never sent to a server.

What's the difference between an S3 bucket policy and an IAM policy?

An S3 bucket policy is attached to the bucket itself and controls who can access it. An IAM policy is attached to a user, group, or role and controls what that identity can do. Access is granted only when both allow it. If you need an IAM policy instead, use our IAM Policy Generator.

How do I grant cross-account access to an S3 bucket?

Attach a bucket policy that sets the Principal to the other account's ARN (e.g. arn:aws:iam::111122223333:root) and lists the actions you want to allow, such as s3:GetLifecycleConfiguration and s3:ListBucket. See the cross-account access walkthrough above for the full example and verification steps.

Can I use this as a general AWS bucket policy generator?

Yes. You can add multiple actions, resources, and conditions to a single bucket policy, covering common patterns like public read access, HTTPS-only access, or cross-account access, then export the resulting JSON document.