Why are there two ARN forms — with and without /*?

The bucket ARN arn:aws:s3:::name targets bucket-level actions like s3:ListBucket, while the object ARN arn:aws:s3:::name/* targets object actions like s3:GetObject. Using the wrong form silently denies access, which is a common cause of mysterious 403s.

My public-read policy is being ignored. Why?

S3 Block Public Access settings override bucket policies. If the account or bucket blocks public policies, your Allow with Principal asterisk is dropped. Disable the relevant Block Public Access toggle for buckets that are intentionally public.

What is the CloudFront OAC policy for?

Origin Access Control lets a private bucket serve content only through a specific CloudFront distribution. The policy grants s3:GetObject to the CloudFront service principal and uses a Condition on AWS:SourceArn so no other distribution can read the bucket.

How does the force-TLS policy improve security?

It adds a Deny statement on all S3 actions when aws:SecureTransport is false, rejecting any request made over plain HTTP. Because explicit Deny always wins, this guarantees every object access is encrypted in transit.

Does cross-account root mean any user in that account?

Granting to arn:aws:iam::ACCOUNT:root delegates trust to the whole account, but those users still need matching IAM permissions on their side. It is a delegation, not an automatic grant to every principal in the other account.

AWS S3 Bucket Policy Builder

An S3 bucket policy builder that generates correct AWS bucket policy JSON for the cases teams hit most: making assets publicly readable, sharing a bucket with another account, locking a bucket to a CloudFront distribution via Origin Access Control, and forcing all access over TLS. It picks the right ARN form and Condition keys for each so you avoid the classic 403 traps.

How it works

An S3 bucket policy is an IAM policy document (Version: 2012-10-17) attached to the bucket. The crucial detail is the Resource ARN: bucket-level actions such as s3:ListBucket use arn:aws:s3:::bucket, while object actions such as s3:GetObject use arn:aws:s3:::bucket/*. The builder emits whichever form — or both — each use case needs.

Each preset sets the right Principal and Condition. Public read uses Principal: "*"; cross-account targets the other account’s root ARN; CloudFront OAC grants the cloudfront.amazonaws.com service principal with a StringEquals condition on the distribution’s AWS:SourceArn; and force-TLS uses a Deny with aws:SecureTransport: false, which always overrides any Allow.

Tips and notes

Public-read policies do nothing if Block Public Access is on. For genuinely public buckets, disable the public-policy toggle deliberately and document why.
Prefer CloudFront OAC over making a bucket public — it keeps the bucket private and serves content only through the CDN, with the SourceArn condition preventing access from other distributions.
Layer the force-TLS Deny onto any bucket holding sensitive data; an explicit Deny beats every Allow, so it is a safe, additive guardrail.
Bucket policies are resource-based; cross-account access also needs matching IAM permissions on the caller’s side. One half alone will not grant access.

AWS S3 Bucket Policy Builder

Email me this result

How it works

Tips and notes