Server & DevOps
S3 Bucket Policy Wizard
Compose correct S3 bucket policies for AWS, Cloudflare R2, DigitalOcean Spaces or MinIO — public website bucket, private IAM access, HTTPS-only transport, IP allowlists — with validated JSON output and safety warnings before you expose anything.
Loading tool…
Need reliable hosting, a domain, or a hand setting this up?
Get a free quote →About the S3 Bucket Policy Wizard
The S3 Bucket Policy Wizard composes a correct, ready-to-paste JSON bucket policy for AWS S3 and S3-compatible object storage such as Cloudflare R2, DigitalOcean Spaces, and self-hosted MinIO. Pick a goal — public-read website bucket, private bucket with read-write for one IAM user, cross-account read access, deny non-HTTPS transport, or an IP allowlist — and the wizard writes the policy document with the proper Version, Effect, Principal, Action, Resource ARNs, and Condition blocks, splitting bucket-level and object-level permissions correctly. Extra toggles add a global deny on s3:DeleteObject and a rule requiring the server-side encryption header on uploads.
Bucket policies are unforgiving: one wrong ARN or a missing /* suffix and the policy either fails to apply or silently does nothing. This free tool by Hosting Cambodia helps developers, sysadmins, and cloud engineers in Cambodia and worldwide get the JSON shape right the first time, with a live validation badge, provider-specific application notes, and a prominent warning before you make a bucket public. Copy the policy or download policy.json and apply it in your provider's console or with the AWS CLI.
Frequently asked questions
Why does my public-read policy not work on AWS?
New AWS buckets ship with Block Public Access enabled at the bucket and often the account level, which overrides any bucket policy. You must disable the relevant block settings before a public-read policy takes effect — and only do that for buckets that genuinely serve public files.
What is the difference between the bucket ARN and bucket/* ARN?
arn:aws:s3:::bucket identifies the bucket itself and is needed for actions like s3:ListBucket, while arn:aws:s3:::bucket/* covers the objects inside and is needed for s3:GetObject, s3:PutObject, and s3:DeleteObject. The wizard automatically attaches each action to the correct resource.
Do these policies work on Cloudflare R2, Spaces, and MinIO?
DigitalOcean Spaces and MinIO accept the same policy document and arn:aws:s3::: prefix, applied via the AWS CLI or mc. Cloudflare R2 manages access primarily through R2 API tokens rather than bucket-policy JSON, so the tool shows a provider note explaining what applies where.
Explore the full free web tools toolbox by Hosting Cambodia.