LogoS3Repo

Create New Policy

A step-by-step guide to creating an AWS IAM policy to define permissions for users, groups, and roles.

15 minutes
Intermediate

Overview

An IAM policy is a JSON document that defines a set of permissions. Creating a custom policy is a key part of implementing the principle of least privilege, where you grant only the necessary permissions to your users and services. This guide will show you how to create a policy to allow read-only access to a specific S3 bucket.

Prerequisites

  • An active AWS account
  • Access to the IAM Management Console
  • The name of an S3 bucket you wish to grant access to

Step 1: Access the IAM Console

Navigate to the IAM service in the AWS Management Console.

  1. Sign in to the AWS Management Console
  2. In the search bar, type "IAM" and select it from the dropdown
  3. In the left-hand navigation pane, click on "Policies"

Step 2: Create a New Policy

Now, you will use the policy editor to create your new policy.

  1. Click the "Create policy" button
  2. You will be presented with a choice between the Visual editor and JSON editor

Use the Visual Editor (Recommended for beginners)

  1. On the "Visual editor" tab, click "Choose a service"
  2. Type "S3" and select "S3"
  3. Under "Actions", expand the "Read" section and select the following actions:
    • ListBucket: Allows listing the objects in the bucket
    • GetObject: Allows reading objects in the bucket
  4. Under "Resources", select "Specific" and click "Add ARN"
    • Enter the ARN for your bucket (e.g., arn:aws:s3:::my-example-bucket)
    • Enter the ARN for all objects in your bucket (e.g., arn:aws:s3:::my-example-bucket/*)

Use the JSON Editor (Advanced)

Alternatively, you can switch to the "JSON" tab and paste the following policy document, replacing my-example-bucket with your bucket's name.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:GetObject",
                "s3:ListBucket"
            ],
            "Resource": [
                "arn:aws:s3:::my-example-bucket",
                "arn:aws:s3:::my-example-bucket/*"
            ]
        }
    ]
}

Review Policy Details

  1. Click "Next: Tags" (tags are optional)
  2. On the "Review" page, give your policy a descriptive name, e.g., S3ReadOnlyAccess-my-bucket
  3. Add a description for clarity
  4. Click "Create policy"

Step 3: Attach the Policy

Your new policy is now created. You can attach it to an IAM user, group, or role.

Example: To attach it to a user, go to the user's page in the IAM console, click on "Add permissions", and attach the policy you just created.

Next Steps

With your new policy ready, you are prepared for the next step.

  • Learn how to create a new IAM user and attach this policy to them
  • Explore how to create access keys for programmatic access