AWS - IAM

Introduction to AWS Identity and Access Management

Demo Resource Based Policy

In this tutorial, we’ll walk through attaching a resource-based policy to an existing S3 bucket in your AWS account. You’ll learn how to use the Policy Generator, customize the JSON, and apply it to grant fine-grained access.

1. Navigate to the S3 Console

  1. Open the AWS Management Console and go to S3.
  2. Click Buckets and use the filter to find company1-sales.

The image shows an AWS S3 Management Console with an account snapshot displaying total storage, object count, and average object size. It also lists a bucket named "company1-sales" in the US West (Oregon) region.

  1. Select company1-sales and switch to the Permissions tab.
  2. Scroll to Bucket policy and click Edit.
  3. At the top of the editor, choose Policy Generator instead of writing raw JSON.

2. Generate a Bucket Policy

In the Policy Generator form:

FieldValue
EffectAllow
Principalarn:aws:iam::629470242021:user/john
ServiceS3
ActionsAll Actions (s3:*)
Resourcearn:aws:s3:::company1-sales

Click Add Statement, then Generate Policy.

The image shows a screenshot of the AWS Policy Generator interface, where a user is configuring an S3 Bucket Policy by selecting actions and specifying permissions.

3. Review and Customize the JSON

The generator outputs a JSON policy similar to this:

{
  "Id": "Policy1696277356902",
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "Stmt1696277354841",
      "Effect": "Allow",
      "Principal": {
        "AWS": [
          "arn:aws:iam::629470242021:user/john"
        ]
      },
      "Action": "s3:*",
      "Resource": "arn:aws:s3:::company1-sales"
    }
  ]
}

Customize the Statement ID

Replace the auto-generated SID with something meaningful, for example JohnFullAccessToCompany1SalesBucket:

{
  "Id": "Policy1696277356902",
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "JohnFullAccessToCompany1SalesBucket",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::629470242021:user/john"
      },
      "Action": "s3:*",
      "Resource": "arn:aws:s3:::company1-sales"
    }
  ]
}

Note

By default, this policy grants permissions only on the bucket itself. To allow object-level actions (e.g., GetObject, PutObject), add the ARN arn:aws:s3:::company1-sales/* to the Resource array.

4. Apply the Policy

  1. Copy the finalized JSON.
  2. Paste it into the Bucket policy editor.
  3. Click Save changes.

You’ve now successfully attached a resource-based policy that grants the IAM user john full control over the company1-sales bucket.


Policy Statement Elements

ElementDescriptionExample
SidUnique identifier for the statementJohnFullAccessToCompany1SalesBucket
EffectAllow or Deny the actionAllow
PrincipalThe IAM user, role, or servicearn:aws:iam::629470242021:user/john
ActionThe S3 operations permitteds3:*
ResourceThe bucket or object ARNsarn:aws:s3:::company1-sales<br>arn:aws:s3:::company1-sales/*

Watch Video

Watch video content

Practice Lab

Practice lab

Previous
IAM Resource Based Policy