Skip to main content

Policy

Creates and manages IAM policies that define permissions for AWS services and resources. Supports automatic versioning and updates when policy content changes.

Props

document
PolicyDocument
required
Policy document defining the permissions.
policyName
string
Name of the policy.Default: ${app}-${stage}-${id}
description
string
Optional description of the policy’s purpose.
path
string
Optional path prefix for the policy.
tags
Record<string, string>
Optional resource tags.

Output

arn
string
ARN of the policy.
policyName
string
Name of the Policy.
defaultVersionId
string
ID of the default policy version.
attachmentCount
number
Number of entities the policy is attached to.
createDate
Date
When the policy was created.
updateDate
Date
When the policy was last updated.
isAttachable
boolean
Whether the policy can be attached to IAM users/roles.

PolicyDocument Type

A PolicyDocument is an object with the following structure: 
interface PolicyDocument {
  Version: "2012-10-17";
  Statement: PolicyStatement[];
}

interface PolicyStatement {
  Sid?: string;
  Effect: "Allow" | "Deny";
  Action: string | string[];
  Resource?: string | string[];
  Condition?: Record<string, Record<string, string | string[]>>;
  Principal?: Record<string, string | string[]>;
  NotPrincipal?: Record<string, string | string[]>;
  NotAction?: string | string[];
  NotResource?: string | string[];
}

Examples

Basic S3 bucket access policy

import { Policy } from "alchemy/aws";

const s3Policy = await Policy("bucket-access", {
  policyName: "s3-bucket-access",
  document: {
    Version: "2012-10-17",
    Statement: [{
      Effect: "Allow",
      Action: [
        "s3:GetObject",
        "s3:PutObject"
      ],
      Resource: `${bucket.arn}/*`
    }]
  }
});

Policy with multiple statements and conditions

import { Policy } from "alchemy/aws";

const apiPolicy = await Policy("api-access", {
  policyName: "api-gateway-access",
  document: {
    Version: "2012-10-17",
    Statement: [
      {
        Sid: "InvokeAPI",
        Effect: "Allow",
        Action: "execute-api:Invoke",
        Resource: `${api.executionArn}/*`,
        Condition: {
          StringEquals: {
            "aws:SourceVpc": vpc.id
          }
        }
      },
      {
        Sid: "ReadLogs",
        Effect: "Allow",
        Action: [
          "logs:GetLogEvents",
          "logs:FilterLogEvents"
        ],
        Resource: `${api.logGroupArn}:*`
      }
    ]
  },
  description: "Allows invoking API Gateway endpoints and reading logs",
  tags: {
    Service: "API Gateway",
    Environment: "production"
  }
});

Policy that denies access based on tags

import { Policy } from "alchemy/aws";

const denyPolicy = await Policy("deny-production", {
  policyName: "deny-production-access",
  document: {
    Version: "2012-10-17",
    Statement: [{
      Effect: "Deny",
      Action: "*",
      Resource: "*",
      Condition: {
        StringEquals: {
          "aws:ResourceTag/Environment": "production"
        }
      }
    }]
  }
});

Build docs developers (and LLMs) love

Get started for freeTalk to us