json 15 lines · 1 tab

Least privilege IAM policy for an application on AWS

Kai Nakamura Apr 2026
1 tab
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": ["s3:GetObject"],
      "Resource": ["arn:aws:s3:::codesnips-assets-production/*"]
    },
    {
      "Effect": "Allow",
      "Action": ["kms:Decrypt"],
      "Resource": ["arn:aws:kms:us-east-1:123456789012:key/abcd-1234"]
    }
  ]
}
1 file · json Explain with highlit

Cloud IAM mistakes become high-impact quickly, so I keep policies narrow and resource-scoped. Wildcards are convenient until they become an incident report. The baseline question is always the same: what exact actions on what exact resources does this workload need right now.

Share this code

Here's the card — post it anywhere.

Least privilege IAM policy for an application on AWS — share card
Link copied