Skip to content
Alchemy
GitHubXDiscord

Policy

The Policy resource lets you create and manage AWS IAM Policies that define permissions for AWS services and resources.

Minimal Example

Section titled “Minimal Example”

Create a basic policy that allows S3 bucket access:

import { Policy } from "alchemy/aws";


const s3Policy = await Policy("bucket-access", {
  policyName: "s3-bucket-access",
  document: {
    Version: "2012-10-17",
    Statement: [
      {
        Effect: "Allow",
        Action: ["s3:GetObject", "s3:PutObject"],
        Resource: `${bucket.arn}/*`,
      },
    ],
  },
});

Multiple Statements

Section titled “Multiple Statements”

Create a policy with multiple statements and conditions:

import { Policy } from "alchemy/aws";


const apiPolicy = await Policy("api-access", {
  policyName: "api-gateway-access",
  document: {
    Version: "2012-10-17",
    Statement: [
      {
        Sid: "InvokeAPI",
        Effect: "Allow",
        Action: "execute-api:Invoke",
        Resource: `${api.executionArn}/*`,
        Condition: {
          StringEquals: {
            "aws:SourceVpc": vpc.id,
          },
        },
      },
      {
        Sid: "ReadLogs",
        Effect: "Allow",
        Action: ["logs:GetLogEvents", "logs:FilterLogEvents"],
        Resource: `${api.logGroupArn}:*`,
      },
    ],
  },
  description: "Allows invoking API Gateway endpoints and reading logs",
  tags: {
    Service: "API Gateway",
    Environment: "production",
  },
});

Deny Policy

Section titled “Deny Policy”

Create a policy that denies access based on tags:

import { Policy } from "alchemy/aws";


const denyPolicy = await Policy("deny-production", {
  policyName: "deny-production-access",
  document: {
    Version: "2012-10-17",
    Statement: [
      {
        Effect: "Deny",
        Action: "*",
        Resource: "*",
        Condition: {
          StringEquals: {
            "aws:ResourceTag/Environment": "production",
          },
        },
      },
    ],
  },
});