Writing IAM by hand is error-prone; generating it from a description is faster — if you verify the result.
Describe the intent precisely
Vague prompts produce vague (over-broad) policies. Compare:
- ❌ "Give my app S3 access"
- ✅ "Allow
s3:GetObjectands3:ListBucketon thereports-prodbucket only, over HTTPS"
The second names the actions, the resource, and a condition — exactly the three things least privilege needs.
Start from a known-good shape
Rather than a blank page, open the read-only policy template and edit from there. You inherit a correct structure (both bucket and object ARNs, a deny-insecure-transport guardrail) and only change the specifics.
Always verify
After generating, check three things:
- No wildcards crept into Action or Resource.
- Both ARNs are present where S3 needs them.
- The policy denies what it should (HTTP, wrong region).
Iterate with diffs
Ask follow-ups like "restrict this to us-east-1" or "remove write permissions" and review each change as a side-by-side diff before accepting it. That review step is where correctness actually happens.
Open the template, describe your case, and let the workspace generate and diff the policy for you.