s3:GetObject
Literal appearances in AWS managed IAM policies. Statements that use wildcards (for example s3:*) are not counted here. This is not an IAM authorization simulation.
Policies (any)
179
Allow (Action)
177
Deny (Action)
3
NotAction
3
Index generated 4/7/2026, 3:29:24 AM. 559 policies include at least one wildcard action string (any service).
Action reference
SAR-style (unofficial)Service: Amazon S3
Access level
ReadDescription
Grants permission to retrieve objects from Amazon S3
Resource types
- accesspointobject
- object
Allow (Action)
- AIOpsAssistantPolicy
- AWS-SSM-Automation-DiagnosisBucketPolicy
- AWS-SSM-DiagnosisAutomation-AdministrationRolePolicy
- AWS-SSM-RemediationAutomation-AdministrationRolePolicy
- AWSAgentlessDiscoveryService
- AWSBackupServiceRolePolicyForS3Backup
- AWSBackupServiceRolePolicyForS3Restore
- AWSCleanRoomsFullAccess
- AWSCloudTrailFullAccess
- AWSCloudTrailReadOnlyAccess
- AWSCodeDeployRoleForECS
- AWSCodeDeployRoleForECSLimited
- AWSCodeDeployRoleForLambda
- AWSCodeDeployRoleForLambdaLimited
- AWSCodePipelineReadOnlyAccess
- AWSCodePipeline_FullAccess
- AWSCodePipeline_ReadOnlyAccess
- AWSCodeStarServiceRole
- AWSConfigRole
- AWSConfigRulesExecutionRole
- AWSConnector
- AWSControlTowerServiceRolePolicy
- AWSDMSServerlessServiceRolePolicy
- AWSDataExchangeFullAccess
- AWSDataExchangeProviderFullAccess
- AWSDataExchangeSubscriberFullAccess
- AWSDeepLensLambdaFunctionAccessPolicy
- AWSDeepLensServiceRolePolicy
- AWSDeepRacerFullAccess
- AWSDeepRacerRoboMakerAccessPolicy
- AWSDeepRacerServiceRolePolicy
- AWSDiscoveryContinuousExportFirehosePolicy
- AWSElasticBeanstalkManagedUpdatesCustomerRolePolicy
- AWSElasticBeanstalkManagedUpdatesServiceRolePolicy
- AWSElasticBeanstalkReadOnly
- AWSElasticBeanstalkService
- AWSGlueConsoleFullAccess
- AWSGlueConsoleSageMakerNotebookFullAccess
- AWSGlueDataBrewServiceRole
- AWSGlueServiceNotebookRole
- AWSGlueServiceRole
- AWSGreengrassResourceAccessRolePolicy
- AWSIoTDeviceTesterForFreeRTOSFullAccess
- AWSLambdaExecute
- AWSLicenseManagerMasterAccountRolePolicy
- AWSManagedServicesDeploymentToolkitPolicy
- AWSMarketplaceImageBuildFullAccess
- AWSMigrationHubOrchestratorConsoleFullAccess
- AWSMigrationHubOrchestratorInstanceRolePolicy
- AWSMigrationHubOrchestratorPlugin
- AWSMigrationHubOrchestratorServiceRolePolicy
- AWSMigrationHubStrategyCollector
- AWSMigrationHubStrategyConsoleFullAccess
- AWSMigrationHubStrategyServiceRolePolicy
- AWSMobileHub_FullAccess
- AWSMobileHub_ReadOnly
- AWSOpsWorksCMInstanceProfileRole
- AWSOpsWorksCMServiceRole
- AWSPanoramaApplianceServiceRolePolicy
- AWSPanoramaFullAccess
- AWSPanoramaGreengrassGroupRolePolicy
- AWSPanoramaSageMakerRolePolicy
- AWSPanoramaServiceRolePolicy
- AWSQuickSetupPatchPolicyBaselineAccess
- AWSQuickSetupSSMManageResourcesExecutionPolicy
- AWSQuickSightSageMakerPolicy
- AWSQuicksightAthenaAccess
- AWSRefactoringToolkitFullAccess
- AWSRefactoringToolkitSidecarPolicy
- AWSResilienceHubAsssessmentExecutionPolicy
- AWSRoboMakerFullAccess
- AWSRoboMaker_FullAccess
- AWSServiceRoleForSMS
- AWSSupplyChainFederationAdminAccess
- AWSThinkboxAWSPortalAdminPolicy
- AWSThinkboxAWSPortalGatewayPolicy
- AWSThinkboxAWSPortalWorkerPolicy
- AWSThinkboxAssetServerPolicy
- AWSThinkboxDeadlineResourceTrackerAdminPolicy
- AdministratorAccess-Amplify
- AmazonAppStreamServiceAccess
- AmazonAthenaFullAccess
- AmazonBedrockStudioPermissionsBoundary
- AmazonBraketFullAccess
- AmazonBraketJobsExecutionPolicy
- AmazonBraketServiceRolePolicy
- AmazonCodeGuruReviewerServiceRolePolicy
- AmazonConnectServiceLinkedRolePolicy
- AmazonDMSRedshiftS3Role
- AmazonDataZoneEnvironmentRolePermissionsBoundary
- AmazonDataZoneRedshiftGlueProvisioningPolicy
- AmazonDataZoneSageMakerEnvironmentRolePermissionsBoundary
- AmazonDataZoneSageMakerManageAccessRolePolicy
- AmazonEC2RolePolicyForApplicationWizard
- AmazonEC2RolePolicyForLaunchWizard
- AmazonEC2RoleforAWSCodeDeploy
- AmazonEC2RoleforAWSCodeDeployLimited
- AmazonEC2RoleforSSM
- AmazonElasticMapReduceReadOnlyAccess
- AmazonEverestServicePolicy
- AmazonFreeRTOSOTAUpdate
- AmazonGrafanaAthenaAccess
- AmazonLambdaRolePolicyForLaunchWizardSAP
- AmazonLaunchWizardFullAccessV2
- AmazonLaunchWizardFullaccess
- AmazonLaunchWizard_Fullaccess
- AmazonLookoutVisionConsoleFullAccess
- AmazonLookoutVisionConsoleReadOnlyAccess
- AmazonMachineLearningRoleforRedshiftDataSource
- AmazonMachineLearningRoleforRedshiftDataSourceV2
- AmazonMachineLearningRoleforRedshiftDataSourceV3
- AmazonMacieServiceRolePolicy
- AmazonPersonalizeFullAccess
- AmazonRedshiftAllCommandsFullAccess
- AmazonRekognitionCustomLabelsFullAccess
- AmazonSageMakerAdmin-ServiceCatalogProductsServiceRolePolicy
- AmazonSageMakerCanvasBedrockAccess
- AmazonSageMakerCanvasDataPrepFullAccess
- AmazonSageMakerCanvasEMRServerlessExecutionRolePolicy
- AmazonSageMakerCanvasForecastAccess
- AmazonSageMakerCanvasFullAccess
- AmazonSageMakerClusterInstanceRolePolicy
- AmazonSageMakerFeatureStoreAccess
- AmazonSageMakerFullAccess
- AmazonSageMakerGeospatialExecutionRole
- AmazonSageMakerGroundTruthExecution
- AmazonSageMakerHyperPodInferenceAccess
- AmazonSageMakerModelGovernanceUseAccess
- AmazonSageMakerModelRegistryFullAccess
- AmazonSageMakerPartnerServiceCatalogProductsCloudFormationServiceRolePolicy
- AmazonSageMakerServiceCatalogProductsCodeBuildServiceRolePolicy
- AmazonSageMakerServiceCatalogProductsCodePipelineServiceRolePolicy
- AmazonSageMakerServiceCatalogProductsGlueServiceRolePolicy
- AmazonSageMakerServiceCatalogProductsLambdaServiceRolePolicy
- AmazonSecurityLakeAdministrator
- AmazonSecurityLakeMetastoreManager
- AmazonSecurityLakePermissionsBoundary
- AmazonTranscribeFullAccess
- AmazonWorkSpacesPoolServiceAccess
- AmplifyBackendDeployFullAccess
- ApplicationDiscoveryServiceContinuousExportServiceRolePolicy
- AwsGlueDataBrewFullAccessPolicy
- AwsGlueSessionUserRestrictedNotebookServiceRole
- AwsGlueSessionUserRestrictedServiceRole
- BedrockAgentCoreFullAccess
- CloudWatchSyntheticsFullAccess
- ComprehendDataAccessRolePolicy
- ConfigConformsServiceRolePolicy
- DBModProvisioningAndMigration
- EC2InstanceProfileForImageBuilder
- EC2InstanceProfileForImageBuilderECRContainerBuilds
- GreengrassOTAUpdateArtifactAccess
- QuickSightAccessForS3StorageManagementAnalyticsReadOnly
- ROSAImageRegistryOperatorPolicy
- SageMakerStudioAdminIAMConsolePolicy
- SageMakerStudioAdminProjectUserRolePolicy
- SageMakerStudioBedrockAgentServiceRolePolicy
- SageMakerStudioBedrockChatAgentUserRolePolicy
- SageMakerStudioBedrockEvaluationJobServiceRolePolicy
- SageMakerStudioBedrockKnowledgeBaseServiceRolePolicy
- SageMakerStudioBedrockPromptUserRolePolicy
- SageMakerStudioEMRInstanceRolePolicy
- SageMakerStudioFullAccess
- SageMakerStudioProjectProvisioningRolePolicy
- SageMakerStudioProjectRoleMachineLearningPolicy
- SageMakerStudioProjectUserRolePermissionsBoundary
- SageMakerStudioQueryExecutionRolePolicy
- SecretsManagerReadWrite
- SecurityLakeResourceManagementServiceRolePolicy
- ServerMigrationConnector
- ServerMigrationServiceConsoleFullAccess
- ServerMigrationServiceRole
- ServerMigrationServiceRoleForInstanceValidation
- ServerMigration_ServiceRole
- ServiceCatalogAdminReadOnlyAccess
- ServiceCatalogEndUserAccess
- VMImportExportRoleForAWSConnector
Deny (Action)
Thanks to Ian McKay for iam-dataset (MIT), structured data derived from the AWS Service Authorization Reference. Not maintained by AWS and not guaranteed current. IAMTrail's managed policy archive is separate.
Definitions bundle generated 4/7/2026, 3:29:24 AM