AWS IAM Policy Templates — Copy-Paste Least-Privilege Policies

Writing an IAM policy from scratch usually means either copying something too broad from a Stack Overflow answer, or spending an hour cross-referencing the AWS action reference. These templates are scoped to a single resource, explain why each statement is shaped the way it is, and call out the common mistake that widens the policy without anyone noticing.

Replace the placeholder ARNs, paste it in, then check it with the free AI-Powered IAM analyzer — no signup, no AWS credentials. Want to understand the terminology first? See the AWS IAM glossary.

Templates

S3
S3 Read-Only Access
Read and list objects in one bucket — no write, no delete, no bucket-config changes.
Lambda
Lambda Execution Role (Logs Only)
The minimum a Lambda function needs to write its own CloudWatch Logs — nothing else.
EKS
EKS IRSA (IAM Roles for Service Accounts)
Bind a pod's ServiceAccount to an IAM role via OIDC — no long-lived node-wide credentials.
IAM / STS
CI/CD Deploy Role (GitHub Actions OIDC)
Let a GitHub Actions workflow assume a deploy role with no long-lived AWS access keys stored in CI.
DynamoDB
DynamoDB CRUD (Single Table)
Create, read, update, delete items in one table — no DeleteTable, no cross-table access.
EC2
EC2 Read-Only (Describe Only)
List and describe EC2 resources for dashboards, inventory, or cost tooling — no start/stop/terminate.
CloudWatch Logs
CloudWatch Logs Write (Scoped Log Group)
Write application logs to one specific log group — for services that are not Lambda (ECS, EC2, self-managed).
IAM / STS
Cross-Account Read-Only Role
Let a trusted external account (e.g. a security tool or parent org account) read resources without write access.
SQS
SQS Consumer (Single Queue)
Receive, process, and delete messages from one queue — no SendMessage, no queue-config changes.
KMS
KMS Encrypt-Only (Write Path, No Decrypt)
Let a service encrypt data with a key it can never use to decrypt — for one-way write paths like log shipping or backups.

Check this policy before you paste it

Shieldly's AI-Powered analyzer flags privilege-escalation paths, wildcards, and risky PassRole in seconds — including in policies built from these templates once you fill in real ARNs and add more actions. No signup, no AWS credentials. Also ships as CLI, VS Code extension, GitHub Action, and CDK Guard.

Amazon Web Services (AWS) is a trademark of Amazon.com, Inc. Shieldly is not affiliated with, endorsed by, or sponsored by Amazon Web Services.