What is least privilege and why does it matter?

Least privilege means granting only the actions and resources a principal genuinely needs. Scoping a policy to one bucket or table instead of asterisk limits the blast radius if credentials leak, which is the single most effective IAM control.

Can I restrict a policy to my office IP range?

Yes. Enabling the source-IP option adds a Condition with IpAddress on aws:SourceIp set to your CIDR, so the granted actions only succeed from those addresses. Be careful with services that call AWS on your behalf, as their IPs differ.

Why do some presets use a wildcard resource?

A few EC2 describe and management actions do not support resource-level ARNs, so AWS requires Resource asterisk for them. Where resource-level scoping is supported, the builder uses a specific ARN to stay least-privilege.

What is the difference between an identity policy and a resource policy?

An identity policy attaches to a user, group, or role and says what that principal may do. A resource policy attaches to the resource (like an S3 bucket) and says who may act on it. This tool builds identity policies.

Does Effect Allow grant access on its own?

Allow grants the listed actions, but an explicit Deny anywhere — in another attached policy, an SCP, or a permission boundary — always overrides it. Access is the union of Allows minus any Deny.

AWS IAM Policy Builder

An AWS IAM policy builder that generates least-privilege identity policy JSON. Pick a common role preset or supply your own actions and resource ARNs, optionally lock the policy to a source IP range, and copy a document you can attach to any user or role. No AWS credentials touch this page.

How it works

An IAM policy is a JSON document with Version: 2012-10-17 and one or more Statement blocks. Each statement combines an Effect (Allow or Deny), an Action list naming the API operations, and a Resource (one or more ARNs) the actions apply to. The builder maps each preset to a correct action set and ARN shape — for example S3 read-only grants s3:GetObject and s3:ListBucket against both the bucket and object ARNs, while DynamoDB CRUD targets a single table ARN.

The optional IP restriction adds a Condition block using IpAddress on aws:SourceIp, so the grant only takes effect from the CIDR you specify. Single-element action and resource lists are emitted as plain strings to match AWS’s own canonical form.

Tips and notes

Always scope to a specific ARN where the service supports it. Resource: "*" is convenient but defeats the purpose of least privilege.
Remember that an explicit Deny always wins. If a policy looks correct but access is blocked, check for a Deny in another attached policy, an SCP, or a permissions boundary.
The source-IP condition is great for human users but can break automation — services that call AWS on your behalf originate from different addresses, so test before enforcing it on service roles.
Use the custom mode to combine actions across services into one statement, but keep unrelated grants in separate statements with their own Sid for readability and auditing.

AWS IAM Policy Builder

Email me this result

How it works

Tips and notes