Demo Resource Based Policy

In this tutorial, we’ll walk through attaching a resource-based policy to an existing S3 bucket in your AWS account. You’ll learn how to use the Policy Generator, customize the JSON, and apply it to grant fine-grained access.

1. Navigate to the S3 Console

Open the AWS Management Console and go to S3.
Click Buckets and use the filter to find company1-sales.

The image shows an AWS S3 Management Console with an account snapshot displaying total storage, object count, and average object size. It also lists a bucket named "company1-sales" in the US West (Oregon) region.

Select company1-sales and switch to the Permissions tab.
Scroll to Bucket policy and click Edit.
At the top of the editor, choose Policy Generator instead of writing raw JSON.

2. Generate a Bucket Policy

In the Policy Generator form:

Field	Value
Effect	Allow
Principal	arn:aws:iam::629470242021:user/john
Service	S3
Actions	All Actions (`s3:*`)
Resource	arn:aws:s3:::company1-sales

Click Add Statement, then Generate Policy.

The image shows a screenshot of the AWS Policy Generator interface, where a user is configuring an S3 Bucket Policy by selecting actions and specifying permissions.

3. Review and Customize the JSON

The generator outputs a JSON policy similar to this:

{
  "Id": "Policy1696277356902",
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "Stmt1696277354841",
      "Effect": "Allow",
      "Principal": {
        "AWS": [
          "arn:aws:iam::629470242021:user/john"
        ]
      },
      "Action": "s3:*",
      "Resource": "arn:aws:s3:::company1-sales"
    }
  ]
}

Customize the Statement ID

Replace the auto-generated SID with something meaningful, for example JohnFullAccessToCompany1SalesBucket:

{
  "Id": "Policy1696277356902",
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "JohnFullAccessToCompany1SalesBucket",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::629470242021:user/john"
      },
      "Action": "s3:*",
      "Resource": "arn:aws:s3:::company1-sales"
    }
  ]
}

By default, this policy grants permissions only on the bucket itself. To allow object-level actions (e.g., GetObject, PutObject), add the ARN arn:aws:s3:::company1-sales/* to the Resource array.

4. Apply the Policy

Copy the finalized JSON.
Paste it into the Bucket policy editor.
Click Save changes.

You’ve now successfully attached a resource-based policy that grants the IAM user john full control over the company1-sales bucket.

Policy Statement Elements

Element	Description	Example
Sid	Unique identifier for the statement	`JohnFullAccessToCompany1SalesBucket`
Effect	Allow or Deny the action	`Allow`
Principal	The IAM user, role, or service	`arn:aws:iam::629470242021:user/john`
Action	The S3 operations permitted	`s3:*`
Resource	The bucket or object ARNs	`arn:aws:s3:::company1-sales` `arn:aws:s3:::company1-sales/*`

Introduction

Introduction to AWS Identity and Access Management

IAM Policies, Federation, STS and MFA

Configure AWS IAM at Scale

Demo Resource Based Policy

1. Navigate to the S3 Console

2. Generate a Bucket Policy

3. Review and Customize the JSON

Customize the Statement ID

4. Apply the Policy

Policy Statement Elements

Links and References

Watch Video

Practice Lab

Introduction

Introduction to AWS Identity and Access Management

IAM Policies, Federation, ​STS and MFA​

Configure AWS​ IAM at Scale​

Documentation Index

​1. Navigate to the S3 Console

​2. Generate a Bucket Policy

​3. Review and Customize the JSON

​Customize the Statement ID

​4. Apply the Policy

​Policy Statement Elements

​Links and References

Watch Video

Practice Lab

IAM Policies, Federation, STS and MFA

Configure AWS IAM at Scale

1. Navigate to the S3 Console

2. Generate a Bucket Policy

3. Review and Customize the JSON

Customize the Statement ID

4. Apply the Policy

Policy Statement Elements

Links and References