s3:ListBucket
Literal appearances in AWS managed IAM policies. Statements that use wildcards (for example s3:*) are not counted here. This is not an IAM authorization simulation.
Policies (any)
173
Allow (Action)
170
Deny (Action)
3
NotAction
5
Index generated 4/7/2026, 3:29:24 AM. 559 policies include at least one wildcard action string (any service).
Action reference
SAR-style (unofficial)Service: Amazon S3
Access level
ListDescription
Grants permission to list some or all of the objects in an Amazon S3 bucket (up to 1000)
Resource types
- accesspoint
- bucket
Allow (Action)
- AWS-SSM-Automation-DiagnosisBucketPolicy
- AWS-SSM-DiagnosisAutomation-AdministrationRolePolicy
- AWS-SSM-RemediationAutomation-AdministrationRolePolicy
- AWSAgentlessDiscoveryService
- AWSBackupServiceRolePolicyForItemRestores
- AWSBackupServiceRolePolicyForS3Backup
- AWSBackupServiceRolePolicyForS3Restore
- AWSCleanRoomsFullAccess
- AWSCleanRoomsMLFullAccess
- AWSCloudTrailFullAccess
- AWSCodePipelineReadOnlyAccess
- AWSCodePipeline_FullAccess
- AWSCodePipeline_ReadOnlyAccess
- AWSConfigRole
- AWSConfigServiceRolePolicy
- AWSConnector
- AWSCostAndUsageReportAutomationPolicy
- AWSDMSServerlessServiceRolePolicy
- AWSDataExchangeFullAccess
- AWSDataExchangeProviderFullAccess
- AWSDataExchangeSubscriberFullAccess
- AWSDataSyncFullAccess
- AWSDataSyncReadOnlyAccess
- AWSDeepLensLambdaFunctionAccessPolicy
- AWSDeepLensServiceRolePolicy
- AWSDeepRacerCloudFormationAccessPolicy
- AWSDeepRacerFullAccess
- AWSDeepRacerRoboMakerAccessPolicy
- AWSDeepRacerServiceRolePolicy
- AWSDiscoveryContinuousExportFirehosePolicy
- AWSElasticBeanstalkManagedUpdatesCustomerRolePolicy
- AWSElasticBeanstalkManagedUpdatesServiceRolePolicy
- AWSElasticBeanstalkReadOnly
- AWSElasticBeanstalkRoleCore
- AWSElasticBeanstalkService
- AWSElementalMediaConvertFullAccess
- AWSElementalMediaConvertReadOnly
- AWSEntityResolutionConsoleFullAccess
- AWSForWordPressPluginPolicy
- AWSGlueConsoleFullAccess
- AWSGlueConsoleSageMakerNotebookFullAccess
- AWSGlueDataBrewServiceRole
- AWSGlueServiceNotebookRole
- AWSGlueServiceRole
- AWSImageBuilderFullAccess
- AWSIoTDeviceTesterForFreeRTOSFullAccess
- AWSLakeFormationDataAdmin
- AWSLicenseManagerMasterAccountRolePolicy
- AWSLicenseManagerServiceRolePolicy
- AWSManagedServicesDeploymentToolkitPolicy
- AWSManagedServices_DetectiveControlsConfig_ServiceRolePolicy
- AWSMarketplaceImageBuildFullAccess
- AWSMigrationHubOrchestratorConsoleFullAccess
- AWSMigrationHubOrchestratorServiceRolePolicy
- AWSMigrationHubStrategyCollector
- AWSMigrationHubStrategyServiceRolePolicy
- AWSMobileHub_FullAccess
- AWSOpsWorksCMInstanceProfileRole
- AWSOpsWorksCMServiceRole
- AWSPanoramaApplianceServiceRolePolicy
- AWSPanoramaFullAccess
- AWSPanoramaGreengrassGroupRolePolicy
- AWSPanoramaServiceRolePolicy
- AWSProtonDeveloperAccess
- AWSQuickSetupSSMDeploymentS3BucketRolePolicy
- AWSQuickSightSageMakerPolicy
- AWSQuicksightAthenaAccess
- AWSRefactoringToolkitFullAccess
- AWSRefactoringToolkitSidecarPolicy
- AWSResilienceHubAsssessmentExecutionPolicy
- AWSResourceExplorerServiceRolePolicy
- AWSServiceRoleForSMS
- AWSSupplyChainFederationAdminAccess
- AWSSystemsManagerEnableConfigRecordingExecutionPolicy
- AWSThinkboxAWSPortalAdminPolicy
- AWSThinkboxAWSPortalGatewayPolicy
- AWSThinkboxAWSPortalWorkerPolicy
- AWSThinkboxAssetServerPolicy
- AWSTrustedAdvisorServiceRolePolicy
- AWS_ConfigRole
- AWS_Config_Role
- AdministratorAccess-AWSElasticBeanstalk
- AdministratorAccess-Amplify
- AmazonAppFlowFullAccess
- AmazonAppStreamServiceAccess
- AmazonAthenaFullAccess
- AmazonBedrockStudioPermissionsBoundary
- AmazonBraketFullAccess
- AmazonBraketJobsExecutionPolicy
- AmazonBraketServiceRolePolicy
- AmazonChimeFullAccess
- AmazonDMSRedshiftS3Role
- AmazonDataZoneEnvironmentRolePermissionsBoundary
- AmazonDataZoneFullAccess
- AmazonDataZoneRedshiftGlueProvisioningPolicy
- AmazonDataZoneSageMakerEnvironmentRolePermissionsBoundary
- AmazonDataZoneSageMakerManageAccessRolePolicy
- AmazonEC2RolePolicyForLaunchWizard
- AmazonEC2RoleforAWSCodeDeploy
- AmazonEC2RoleforAWSCodeDeployLimited
- AmazonEC2RoleforSSM
- AmazonElasticMapReduceReadOnlyAccess
- AmazonElasticTranscoderRole
- AmazonElasticTranscoder_FullAccess
- AmazonElasticTranscoder_JobsSubmitter
- AmazonElasticTranscoder_ReadOnlyAccess
- AmazonFSxConsoleFullAccess
- AmazonFreeRTOSOTAUpdate
- AmazonGrafanaAthenaAccess
- AmazonHealthLakeFullAccess
- AmazonLambdaRolePolicyForLaunchWizardSAP
- AmazonLaunchWizardFullAccessV2
- AmazonLaunchWizard_Fullaccess
- AmazonLookoutVisionConsoleFullAccess
- AmazonMacieServiceRolePolicy
- AmazonMacieSetupRole
- AmazonPersonalizeFullAccess
- AmazonRedshiftAllCommandsFullAccess
- AmazonRekognitionCustomLabelsFullAccess
- AmazonRoute53FullAccess
- AmazonSageMakerCanvasBedrockAccess
- AmazonSageMakerCanvasDataPrepFullAccess
- AmazonSageMakerCanvasEMRServerlessExecutionRolePolicy
- AmazonSageMakerCanvasForecastAccess
- AmazonSageMakerCanvasFullAccess
- AmazonSageMakerClusterInstanceRolePolicy
- AmazonSageMakerFullAccess
- AmazonSageMakerGroundTruthExecution
- AmazonSageMakerModelGovernanceUseAccess
- AmazonSageMakerModelRegistryFullAccess
- AmazonSageMakerServiceCatalogProductsCodeBuildServiceRolePolicy
- AmazonSageMakerServiceCatalogProductsGlueServiceRolePolicy
- AmazonSageMakerServiceCatalogProductsLambdaServiceRolePolicy
- AmazonSecurityLakeAdministrator
- AmazonSecurityLakeMetastoreManager
- AmazonSecurityLakePermissionsBoundary
- AmazonTimestreamInfluxDBFullAccess
- AmazonTimestreamInfluxDBFullAccessWithoutMarketplaceAccess
- AmazonWorkSpacesPoolServiceAccess
- ApplicationDiscoveryServiceContinuousExportServiceRolePolicy
- AwsGlueDataBrewFullAccessPolicy
- BedrockAgentCoreFullAccess
- CloudWatchAutomaticDashboardsAccess
- CloudWatchSyntheticsFullAccess
- ComprehendDataAccessRolePolicy
- ComprehendFullAccess
- DBModProvisioningAndMigration
- GroundTruthSyntheticConsoleFullAccess
- GroundTruthSyntheticConsoleReadOnlyAccess
- NetworkAdministrator
- ROSAImageRegistryOperatorPolicy
- SageMakerStudioAdminProjectUserRolePolicy
- SageMakerStudioBedrockChatAgentUserRolePolicy
- SageMakerStudioBedrockEvaluationJobServiceRolePolicy
- SageMakerStudioBedrockKnowledgeBaseServiceRolePolicy
- SageMakerStudioBedrockPromptUserRolePolicy
- SageMakerStudioFullAccess
- SageMakerStudioProjectProvisioningRolePolicy
- SageMakerStudioProjectRoleMachineLearningPolicy
- SageMakerStudioProjectUserRolePermissionsBoundary
- SageMakerStudioProjectUserRolePolicy
- SageMakerStudioQueryExecutionRolePolicy
- SecurityAudit
- SecurityLakeResourceManagementServiceRolePolicy
- ServerMigrationConnector
- ServerMigrationServiceRole
- ServerMigration_ServiceRole
- TranslateFullAccess
- VMImportExportRoleForAWSConnector
- ViewOnlyAccess
Deny (Action)
Thanks to Ian McKay for iam-dataset (MIT), structured data derived from the AWS Service Authorization Reference. Not maintained by AWS and not guaranteed current. IAMTrail's managed policy archive is separate.
Definitions bundle generated 4/7/2026, 3:29:24 AM