Writing an S3 bucket policy by hand is fiddly, and the classic AWS Policy Generator UI still leaves you hand-editing ARNs. Generating it from a description is faster — as long as you verify the result.
Describe the intent precisely
Vague prompts produce over-broad policies. Compare:
- ❌ "Give my bucket public access"
- ✅ "Allow
s3:GetObjectfor anyone onassets-prodobjects only, and deny any request over plain HTTP"
The second names the action, the Principal, the resource, and a condition — the four things an S3 policy actually needs.
Start from a known-good shape
Rather than a blank editor, open the S3 bucket policy template and edit from there. You inherit a correct structure — both the bucket and object ARNs, a deny-insecure-transport guardrail — and only change the specifics.
Verify four things
After generating, check:
- Principal is as narrow as you meant (
"*"is a big deal — that is the whole internet). - Both ARNs are present where object and bucket actions are mixed.
- No wildcard crept into
Action(s3:*on an Allow is almost never right). - A deny-insecure-transport statement is present.
Iterate with diffs
Ask follow-ups like "restrict this to a CloudFront origin" or "make it private instead" and review each change as a side-by-side diff before accepting it. That review step is where correctness actually happens — the generator gets you 90% there, the diff gets you the last 10%.
Open the template, describe your case, and let the workspace generate and diff the policy for you.