Holmes Stacks
Career · June 3, 2026

How to create secure AWS IAM policies for cloud access

In this video, you will learn how to configure AWS Identity and Access Management (IAM) policies securely by applying the principle of least privilege.

What this guide covers

After reading this, you will be able to write a secure AWS IAM policy that grants only the necessary permissions—specifically read-only access to an S3 bucket—using the principle of least privilege.

When to use it

  • When you need to limit a cloud user or role to read-only operations on a specific S3 bucket
  • When tightening permissions to reduce blast radius in cloud environments
  • When preparing for security audits that require strict access control
  • When troubleshooting AWS root cause issues related to overly broad IAM permissions

The move, step by step

  1. Identify the exact AWS actions the user or role needs. For read-only S3 access, this is typically s3:ListBucket and s3:GetObject.

  2. Specify the exact resources these actions apply to: the bucket ARN and all objects inside it. Use "arn:aws:s3:::your-bucket-name" for the bucket itself and "arn:aws:s3:::your-bucket-name/*" for objects.

  3. Create the IAM policy JSON with "Effect": "Allow", the "Action" list, and the "Resource" list.

  4. Attach the policy to the specific IAM user, group, or role in the AWS Console or via CLI.

  5. Test with the user or role by trying allowed operations (e.g., listing objects, reading files) and ensure denied operations (write, delete) are blocked.

Example

Input: Need read-only access to bucket secure-logs

IAM policy:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": ["s3:ListBucket", "s3:GetObject"],
      "Resource": [
        "arn:aws:s3:::secure-logs",
        "arn:aws:s3:::secure-logs/*"
      ]
    }
  ]
}

Expected outcome:

  • User can run aws s3 ls s3://secure-logs to list objects
  • User can aws s3 cp s3://secure-logs/logfile.txt ./ to download objects
  • User cannot delete, put, or list other buckets

Common mistakes

  • Mistake: Granting "Action": "s3:*" → Fix: List explicit actions like "s3:ListBucket" and "s3:GetObject".
  • Mistake: Omitting the object ARN (using only bucket ARN) → Fix: Include "arn:aws:s3:::bucket-name/*" to cover all objects.
  • Mistake: Attaching policies to “root” user instead of roles or service accounts → Fix: Use IAM roles or restricted users for daily access.
  • Mistake: Not testing the policy in a staging environment → Fix: Always test permissions before production deployment.

Next step

Pick one S3 bucket you manage. Write and attach a read-only policy like the example above for a test IAM user or role. Verify the permissions by trying allowed and denied actions. Then come back and try the next move from the video.

Your one action today

Pick the smallest version of this guide and try it in your tool of choice in the next 20 minutes.

Free download
Get the AI Career Starter Kit — 25 ChatGPT prompts + a 12-month plan
Click to get it →
Go deeper
AI Career Stack Starter Kit — $39
75 prompts + resume system + cloud roadmap + Notion template

Get the next AI/career guide in your inbox

One short, practical guide on AI tools, cloud, and the modern career stack. No fluff.

Related guides