S3 Bucket Policy Generator Tool - Visual Builder and Linter for AWS S3 Bucket Policies

First Published:
Last Updated:

Build AWS S3 bucket policies visually with 10 ready-made templates (CloudFront OAC, deny insecure transport, VPC Endpoint only, IP restriction, MFA required, cross-account access, replication, and more), real-time JSON / CloudFormation YAML output, paste-or-drop JSON import, and a built-in best-practice linter.

All processing is performed entirely in your browser using client-side JavaScript. No data is transmitted to any server. Your bucket policy never leaves your device.

  • This tool is provided "AS IS" without any warranties of any kind.
  • The author accepts no responsibility for misconfigured bucket policies that cause data exposure, privilege escalation, or service disruption.
  • The built-in linter is heuristic and advisory only; it is not a substitute for AWS IAM Access Analyzer or a security review.
  • Always test the generated policy in a non-production bucket before applying it to production.
  • By using this tool, you accept full responsibility for any outcomes.

This tool uses client-side JavaScript for all processing. No data is transmitted to servers, no files are uploaded online, all processing happens locally in your browser. Once loaded, this tool continues to work even without an internet connection. For more details, please refer to our Web Tools Disclaimer.

1. Bucket Identity

2. Template Presets

Click a preset to append one or more ready-made statements you can then customize. Presets use AWS documentation dummy values (account 123456789012, distribution EDFDVBD6EXAMPLE, VPC endpoint vpce-1234abcd, etc.) — replace them with your own.

3. Import Existing Policy (optional)

Drag & drop a .json bucket policy file here, or press Enter / Space to browse.

4. Statements

5. Validation

6. Best-Practice Linter

Findings update automatically as you edit. Severities follow IAM Access Analyzer conventions: CRITICAL / HIGH / MEDIUM / LOW / INFO.

7. Generated Output

// Add a statement (or load a preset) to see the generated policy.

8. Recent Policies (saved in your browser)

The most recent 3 manually saved policies are kept in your browser's localStorage. Nothing is sent anywhere. Use this to quickly switch between two or three drafts you are comparing.

Features

  • Visual statement builder: Add, reorder, and remove statements with form-driven controls for Sid, Effect, Principal / NotPrincipal, Action / NotAction, Resource / NotResource, and Condition.
  • 10 template presets: Public Read for Static Website, CloudFront OAC Only, CloudFront OAI (Legacy), Cross-Account Read-Only, Deny Insecure Transport, VPC Endpoint Only, IP Restriction, Specific IAM Principal Only, MFA Required for Deletes, and Cross-Region Replication (Destination).
  • Three output formats: Pretty JSON for the AWS console, Minified JSON for embedding into IaC variables, and CloudFormation YAML for AWS::S3::BucketPolicy.
  • Built-in best-practice linter: 10 rules covering public Allow without conditions, missing TLS-only Deny, wildcard Resource, bucket / object ARN mismatch with action scope, Allow / Deny conflicts, NotPrincipal pitfalls, CloudFront aws:SourceArn confused-deputy, and more.
  • Bidirectional editing: Paste an existing policy JSON or drop a .json file to import it into the visual builder, then re-export.
  • Policy size indicator: Live byte count with a warning at 80% of the 20 KB hard limit imposed by S3.
  • Recent policies: Up to three manual snapshots are kept in your browser's localStorage; an auto-save also restores your last session on reload.
  • 100% client-side: No fetch, no XMLHttpRequest, no WebSocket. The page works offline once loaded.

How to Use

  1. Set the Bucket Name at the top — presets and the Quick-add ARN buttons use it to construct ARNs.
  2. Click a Template Preset to append one or more starter statements, or click + Add Statement to start from a blank statement.
  3. For each statement, configure the Effect (Allow / Deny), Principal (AWS / Service / Federated / CanonicalUser / *), one or more Actions (checkbox grid + custom-action input), Resource ARN(s), and optional Condition(s).
  4. Reorder statements with the ↑ / ↓ buttons in each card header. Remove with the Remove button.
  5. To start from an existing policy, paste JSON in Section 3 (or drop a file) and click Import to Builder.
  6. Review live findings under 5. Validation (syntactic) and 6. Best-Practice Linter (security & correctness).
  7. Switch between Pretty JSON, Minified JSON, and CloudFormation YAML tabs in Section 7 to see the generated output, then Copy or Download it.
  8. Click Save Current in Section 8 to keep up to three local snapshots you can reload later.

Important Notes

  • Resource-based policy scope: S3 bucket policies are resource-based — every statement requires a Principal. For identity-based IAM policies, use the separate IAM Policy Simulator Tool or IAM Policy Analyzer Tool instead.
  • 20 KB size limit: S3 enforces a 20 KB hard limit on the bucket policy document. The tool shows the current size and warns at 80% / errors above the limit.
  • Bucket-level vs object-level actions: s3:GetObject needs an object ARN (with /*); s3:ListBucket needs a bucket ARN (no /*). Mixing them in the same statement requires both ARN forms in Resource.
  • CloudFront OAC requires aws:SourceArn: When the Principal is cloudfront.amazonaws.com, always restrict access to a specific distribution with StringEquals AWS:SourceArn to prevent confused-deputy attacks.
  • OAI vs OAC: Origin Access Identity (OAI) is the legacy mechanism. New CloudFront distributions should use Origin Access Control (OAC) — see the cloudfront-oac preset. Existing OAI configurations continue to work but new features (e.g., SigV4 signing for region-specific buckets) require OAC.
  • Deny always wins: An explicit Deny overrides any Allow. Use the linter's "Allow / Deny conflict" finding (S3BP006) to spot dead Allow statements.
  • Not a substitute for AWS Access Analyzer: The built-in linter is heuristic. Always validate with IAM Access Analyzer policy validation and review against the official AWS S3 bucket policy examples before deploying to production.
  • Sample values are AWS dummy values: Account ID 123456789012, CloudFront distribution EDFDVBD6EXAMPLE, VPC endpoint vpce-1234abcd, and CIDR ranges from RFC 5737 documentation prefixes are used throughout. Replace them with your own values.
  • Disclaimer: This tool generates and lints S3 bucket policy JSON in your browser. It does not apply policies to AWS. Always test in a non-production bucket and validate with AWS IAM Access Analyzer before production use.

References:
Tech Blog with curated related content
Web Tools Collection

Written by Hidekazu Konishi