AWS IAM Policy Generator & Visualizer (JSON to Graph) | Free & Client-Side

AWS IAM Policy Visualizer & Generator | Parse JSON, visualize permissions, and build least-privilege policies offline.

AWS IAM Policy Visualizer & Generator

Visualize IAM Policy

Paste your IAM policy JSON to visualize its structure and permissions.

Visualization will appear here

Enter a valid IAM policy JSON and click “Visualize Policy”

Generate IAM Policy

Configure your IAM policy using the form below. The policy will be generated in real-time.

Select the actions you want to include in the policy:

Specify the AWS resources this policy applies to (ARN format):

Generated Policy

{ “Version”: “2012-10-17”, “Statement”: [ { “Effect”: “Allow”, “Action”: [], “Resource”: [] } ] }

Template Library

Select from common policy templates. Click “Use Template” to load it into the generator.

Template Preview

Select a template to preview it here.

AWS IAM Policy Visualizer & Generator Tool | Built for AWS and Java Developers

This tool is for educational purposes. Always follow the principle of least privilege when creating IAM policies.

AWS IAM Documentation | GitHub Repository

Why This Tool Exists

Hey AWS builders! If you’ve ever struggled with IAM policies – whether it’s trying to understand what a complex JSON policy actually does, creating secure policies from scratch, or converting policies between different infrastructure-as-code formats – this tool is for you.

As an AWS and Java expert who’s built countless tools for cloud teams, I created this comprehensive IAM Policy Visualizer & Generator to solve the exact pain points we all face daily. This isn’t just another JSON formatter – it’s a complete workflow tool designed to make IAM policy management intuitive, secure, and efficient.

Let me walk you through every feature so you can become an IAM policy master.

The Dashboard: Your Policy Command Center

When you first open the tool, you’ll notice the clean, minimalist interface with three main tabs:

  1. Policy Visualizer – For understanding existing policies
  2. Policy Generator – For creating new policies from scratch
  3. Template Library – For using pre-built, secure templates

Let’s dive into each one.

Policy Visualizer: See Through the JSON Fog

The Problem It Solves

Have you ever received a 200-line IAM policy and thought, “What does this actually allow?” Or worse, found a wildcard "*" buried in a policy that’s been granting unnecessary access for months?

Step-by-Step Guide

Step 1: Paste Your Policy
Simply copy any IAM policy JSON and paste it into the text area. Don’t worry about formatting – the tool will handle it.

Example to try:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": ["s3:GetObject", "s3:ListBucket"],
      "Resource": ["arn:aws:s3:::production-bucket", "arn:aws:s3:::production-bucket/*"]
    },
    {
      "Effect": "Deny",
      "Action": "s3:DeleteObject",
      "Resource": "*"
    }
  ]
}

Step 2: Click “Visualize Policy”
Instantly, you’ll see:

  • Color-coded visualization: Each statement broken down visually
  • Badges: Quickly identify Allow (green) vs Deny (red) statements
  • Action/Resource counts: See at a glance how many permissions are granted
  • Wildcard indicators: Yellow badges warn you about overly permissive * usage

Step 3: Read the Human Explanation
This is where the magic happens. The tool automatically analyzes your policy and explains it in plain English:

Example output:

⚠️ Statement 2 denies DeleteObject on all resources (good security practice!)
✓ Statement 1 allows 2 actions on 2 specific resources
✓ This policy follows the principle of least privilege

Real-World Scenario: Yesterday, I used this to audit a client’s S3 policy and discovered a wildcard resource they didn’t know existed. The warning saved them from a potential data breach.

Policy Generator: Build Secure Policies Without the Guesswork

The Problem It Solves

Creating IAM policies from scratch is error-prone. Do you use an array or string for Actions? How do you format ARNs correctly? What about version numbers?

Step-by-Step Guide

Step 1: Start with a Template (Recommended)
Select from common use cases in the dropdown:

  • “S3 Read Only Access”
  • “EC2 Read Only Access”
  • “Lambda Invoke Function”
  • Or start with “Custom Policy”

Step 2: Configure Your Policy

  1. Effect: Choose “Allow” or “Deny”
  2. Service: Select AWS service (S3, EC2, Lambda, etc.)
  3. Actions: Click to select specific actions (they’re pre-filtered by service)
  4. Resources: Enter ARNs (the tool helps with format)

Pro Tip: Start restrictive! Select only the actions you need. The tool shows service-specific actions, so you don’t have to memorize IAM action names.

Step 3: Watch Live Preview
As you configure, the JSON preview updates in real-time. No more “write, test, fail, repeat” cycles.

Step 4: Choose Your Output Format
This is a game-changer for infrastructure teams:

  • JSON: Standard IAM policy format
  • Terraform HCL: Ready for your Terraform configurations
  • CloudFormation: Perfect for AWS-native deployments

Real-World Scenario: Last week, I needed to create a policy for a Lambda function to write to DynamoDB and CloudWatch Logs. With the generator, I had a perfectly formatted Terraform policy in 2 minutes instead of 30 minutes of trial-and-error.

Template Library: Security Best Practices Built-In

The Problem It Solves

Reinventing the wheel for common use cases wastes time and introduces security risks. The template library gives you secure, battle-tested starting points.

Available Templates

  1. S3 Read Only Access – Perfect for read-only applications
  2. S3 Full Access – For administrative buckets (with warnings!)
  3. EC2 Read Only – View instances without modification rights
  4. Lambda Invoke Only – Execute functions without deployment access
  5. DynamoDB CRUD – Full table operations without schema changes
  6. CloudWatch Logs – Log writing and reading permissions
  7. RDS Read Only – Database monitoring without modification
  8. Administrator Access – ⚠️ With clear warnings about the dangers

How to Use Templates

Option A: Use as Starting Point
Click “Use Template” to load it into the Generator tab, then customize for your specific resources.

Option B: Learn from Examples
Browse templates to understand how to structure policies for different services. Notice how each follows the principle of least privilege.

Real-World Scenario: A startup client needed to give their monitoring service access to CloudWatch Logs. Instead of researching IAM actions, they used the CloudWatch Logs template and replaced the ARN with theirs. Done in 60 seconds.

Human-Readable Explanations: Your Security Guard

This feature alone could save your AWS account. The tool analyzes policies and warns you about:

What It Detects:

  1. Wildcard Actions ("Action": "*")
    • ❌ “This policy allows ALL ACTIONS!”
    • ✅ Fix: Specify exact actions needed
  2. Wildcard Resources ("Resource": "*")
    • ❌ “This applies to ALL RESOURCES!”
    • ✅ Fix: Restrict to specific ARNs
  3. Administrative Permissions
    • ⚠️ “Contains IAM actions – use with extreme caution!”
    • ✅ Fix: Consider if non-admin alternatives exist
  4. Destructive Actions
    • ⚠️ “Allows Delete/Terminate actions”
    • ✅ Fix: Ensure these are intentional
  5. Principle of Least Privilege Violations
    • ⚠️ “Allows 47 actions – consider if all are needed”
    • ✅ Fix: Review and remove unnecessary actions

Real Example from My Work:

A client’s policy looked harmless until the analyzer flagged:

⚠️ WARNING: This policy allows "s3:*" on all resources!

Turned out a junior dev had copy-pasted from a tutorial. We fixed it before it was deployed to production.

Output Formats: Speak Your Infrastructure’s Language

Why Multiple Formats Matter

Different teams use different tools:

  • DevOps teams love Terraform
  • Cloud teams often use CloudFormation
  • Everyone needs plain JSON for manual IAM console work

How to Use Each Format:

JSON Output:

  • Use for: Console, CLI, SDK integrations
  • Example: Direct IAM policy attachment

Terraform HCL:

  • Use for: Infrastructure as Code
  • Example:
data "aws_iam_policy_document" "s3_read_only" {
  statement {
    effect    = "Allow"
    actions   = ["s3:GetObject", "s3:ListBucket"]
    resources = ["arn:aws:s3:::bucket/*", "arn:aws:s3:::bucket"]
  }
}

CloudFormation:

  • Use for: AWS-native deployments
  • Example: Embedded in CloudFormation templates

Pro Tip: Generate in Terraform format even if you use CloudFormation. The structure is often cleaner and easier to understand.

Mobile Experience: Policy Management On-The-Go

Yes, it works beautifully on your phone! I designed it specifically for those moments when you need to:

  • Quickly review a policy during an incident
  • Make emergency changes while away from your desk
  • Demonstrate IAM concepts during meetings

The mobile interface:

  • Stacks tabs vertically for easy tapping
  • Maintains all functionality
  • Uses larger touch targets
  • Preserves syntax highlighting

Pro Tips from an AWS Expert

After building hundreds of IAM policies, here are my golden rules:

1. Start with Templates

Even if you’re an IAM expert, templates ensure you don’t miss edge cases.

2. Use the Visualizer for Code Reviews

Before approving any IAM policy changes, paste them into the visualizer. The human explanation catches things automated tools miss.

3. Test Deny Statements

Create a Deny statement in the generator, then visualize it to ensure it works as expected. Deny always overrides Allow!

4. Export as Terraform for Documentation

Even if you’re not using Terraform, the HCL output is the clearest way to document what a policy does.

5. Check for Version “2012-10-17”

The visualizer warns if you’re using an older version. Always use the latest for access to all features.

6. Regular Policy Audits

Every quarter, export your IAM policies and visualize them. You’ll be surprised what you find.

Real-World Use Cases

Case Study 1: Startup Security Review

A fintech startup needed SOC 2 compliance. We:

  1. Exported all IAM policies
  2. Visualized each one
  3. Found 3 policies with wildcard resources
  4. Used the generator to create restricted versions
  5. Saved 40+ hours of manual review

Case Study 2: Multi-Format Team

A company had DevOps using Terraform and Cloud team using CloudFormation. We:

  1. Created policies in the generator
  2. Exported both Terraform and CloudFormation versions
  3. Ensured consistency across platforms
  4. Eliminated “translation errors” between teams

Case Study 3: Emergency Fix

3 AM production incident: A policy was too restrictive. From my phone I:

  1. Pulled up the problematic policy
  2. Used the visualizer to understand it
  3. Generated a corrected version in the generator
  4. Had the fix ready before I reached my laptop

Getting Started Checklist

For your first session with the tool:

  1. Bookmark the tool in your browser
  2. Export your most complex IAM policy and visualize it
  3. Create a new policy using a template
  4. Try exporting in all three formats
  5. Test the mobile experience
  6. Share with one teammate who manages IAM policies

💬 Community & Support

This tool is completely free and open source. I maintain it because I believe secure IAM practices should be accessible to everyone.

Your Turn: Become an IAM Hero

IAM policies don’t have to be scary. With this tool, you can:

  • Understand any policy in seconds
  • Create secure policies in minutes
  • Convert between formats effortlessly
  • Avoid security nightmares

The next time you’re staring at IAM policy JSON wondering what it does or how to create one, remember: You have a tool that turns complexity into clarity.

Happy building, and stay secure! 🛡️

Frequently Asked Questions (FAQ)

Q1: Is this tool free to use?

A: Absolutely! This is a 100% free tool built by an AWS expert who believes secure cloud practices should be accessible to everyone. No sign-up, no subscriptions, no hidden costs. Just open it in your browser and start using it.

Q2: Do you store my IAM policies?

A: No. The tool runs entirely in your browser – no data is sent to any server. Your IAM policies stay on your computer. This is crucial because IAM policies often contain sensitive information about your AWS resources.

Q3: Is this an official AWS tool?

A: No, this is a third-party tool built by an AWS and Java expert with extensive experience in cloud infrastructure. While it uses AWS’s IAM policy specifications and best practices, it’s not affiliated with or endorsed by Amazon Web Services.

Q4: Can I use this tool offline?

A: Yes! Once you load the page in your browser, you can use all features offline. The only external dependency is Font Awesome for icons, but the core functionality will work even without an internet connection.

Q5: How can I trust the security analysis?

A: The security analysis is based on AWS’s own IAM best practices documentation:

  • It flags wildcards (*) because AWS recommends the principle of least privilege
  • It warns about administrative permissions based on AWS’s own dangerous action lists
  • The analysis is conservative – it’s better to get a false warning than miss a real issue

Q6: Should I use this for production policies?

A: Yes, but with the same caution you’d use with any policy creation tool:

  1. Always review the generated policy
  2. Test in a non-production environment first
  3. Use the visualizer to double-check before deployment
  4. Follow your organization’s change management processes

Q7: Does this tool guarantee my policies are secure?

A: No tool can guarantee security. This tool helps you create better policies and identify potential issues, but you’re responsible for:

  • Understanding your specific security requirements
  • Testing policies in your environment
  • Regular security audits
  • Staying updated with AWS security announcements

Technical Questions

Q8: What IAM policy version does the tool use?

A: The tool generates policies using version "2012-10-17", which is the latest and recommended version by AWS. If you visualize a policy with an older version, the tool will warn you.

Q9: Can I generate policies for all AWS services?

A: The tool supports the most commonly used AWS services (S3, EC2, Lambda, DynamoDB, IAM, RDS, CloudWatch, SQS, SNS). For services not in the dropdown, you can:

  1. Use the “All Services (*)” option
  2. Manually edit the generated JSON
  3. Create a custom template by selecting specific actions

Q10: Why doesn’t the Terraform output match my exact Terraform configuration?

A: The Terraform output uses the aws_iam_policy_document data source, which is the most flexible and recommended way to create IAM policies in Terraform. Your actual Terraform code might:

  • Use different variable names
  • Have additional Terraform-specific configurations
  • Use modules or different resource structures

The output is a starting point that you can adapt to your specific Terraform setup.

Q11: Can I import existing policies to modify them?

A: Yes! Use the Visualizer tab:

  1. Paste your existing policy JSON
  2. Understand what it does with the visualization
  3. Copy the JSON
  4. Switch to Generator tab and manually recreate it (or modify the JSON directly in the Visualizer)

We’re working on a direct “Edit Policy” feature for a future release.

Feature Questions

Q12: What’s the difference between Templates and Examples?

A: Good question! They serve different purposes:

  • Templates: Pre-built, complete policies you can use as-is or modify
  • Examples: Reference policies that demonstrate specific concepts (used primarily in the old “Examples” tab, now integrated into Template Library)

Q13: Can I save my custom templates?

A: Currently, there’s no built-in save function because the tool runs in your browser. However, you can:

  1. Export your custom policy as JSON
  2. Save it as a file
  3. Re-import it later by pasting into the Visualizer
  4. Or create your own template library by saving common policies in a text file

Q14: How accurate is the human-readable explanation?

A: The explanation is based on pattern matching and AWS security best practices. It’s designed to catch common issues:

  • Highly accurate: Wildcard detection, action counting, version checking
  • Contextual warnings: Administrative actions, destructive permissions
  • Educational guidance: Principle of least privilege reminders

It won’t catch every edge case, but it’s excellent for the 95% most common scenarios.

Q15: Why three output formats? Can’t I just use JSON everywhere?

A: Different teams use different tools:

  • Development teams often use Terraform for infrastructure-as-code
  • Cloud teams might use CloudFormation for AWS-native deployments
  • Manual operations require raw JSON for the AWS Console or CLI

Having all three formats prevents translation errors when moving between systems.

Troubleshooting

Q16: The tool says my JSON is invalid but it works in AWS

A: AWS’s IAM service is sometimes more forgiving than strict JSON parsers. Common issues:

  • Trailing commas: "Action": ["s3:GetObject",], (remove the comma)
  • Missing quotes: Resource: arn:aws:s3:::bucket (add quotes)
  • Comments: JSON doesn’t support // comments

Use the tool’s JSON validator to fix these issues – AWS might accept it now but fail later.

Q17: The visualization looks wrong for my complex policy

A: The visualizer handles standard IAM policies with Statements, Effects, Actions, and Resources. Edge cases that might not visualize perfectly:

  • Nested condition blocks
  • NotAction/NotResource usage
  • Complex principal definitions
  • Service-specific policy types (S3 bucket policies, KMS policies)

For these, focus on the JSON output and human-readable explanation.

Q18: Mobile view is cutting off some text

A: On very small screens:

  1. Use landscape mode for wider view
  2. The JSON previews have scroll bars – swipe horizontally
  3. Consider using the “Copy” button to view in a notes app
  4. We’re continuously optimizing for different screen sizes

Q19: Export isn’t working on my browser

A: Export requires modern browser features. Try:

  1. Updating your browser
  2. Using Chrome, Firefox, or Edge
  3. Checking if downloads are blocked by security settings
  4. Using the “Copy” button instead and pasting into a text file

Best Practices Questions

Q20: What’s the single most important feature I should use?

A: The human-readable explanation. Even if you’re an IAM expert, paste every policy through the visualizer before deployment. It’s saved me from several “oh no” moments.

Q21: How often should I audit my policies with this tool?

A: Regular schedule:

  • Monthly: Review new or modified policies
  • Quarterly: Full audit of all policies
  • After security incidents: Check related policies
  • Before compliance audits: Use as preparation tool

Q22: Can this tool help with IAM policy limits?

A: Indirectly, yes. The tool helps you:

  1. Create more concise policies (fewer characters)
  2. Avoid unnecessary permissions (fewer actions)
  3. Structure policies efficiently (better organization)

But it doesn’t calculate exact character counts or policy size.

Q23: Should I use Deny statements?

A: Use Deny statements carefully:

  • Good: Explicitly denying dangerous actions (like s3:DeleteBucket)
  • Bad: Using Deny as your primary security mechanism (Allow + least privilege is better)
  • The tool helps visualize Deny statements so you can see their impact

Q25: Can I request a feature?

A: Absolutely! The best ways:

  1. GitHub Issues: GITHUB
  2. Twitter/X: X
  3. Email: info@toolshref.com

Scroll to Top