> For the complete documentation index, see [llms.txt](https://docs.impossiblecloud.com/impossible-cloud-help/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.impossiblecloud.com/impossible-cloud-help/security/identity-access-management-iam/managing-policies/visual-policy-builder.md).

# Visual Policy Builder

The **Visual Policy Builder** is a graphical interface for creating and editing IAM policies without writing raw JSON. It organizes a policy into individual **statements**, each of which you configure through dropdowns and search fields. You can switch between Visual and JSON modes at any time - both views share the same underlying policy document.

## Switching Between Visual and JSON Mode

When creating or editing a policy, a **Visual | JSON** toggle appears at the top of the policy editor. Click **Visual** to use the Visual Policy Builder, or **JSON** to edit the raw policy document directly.

## Quick apply on bucket(s)

At the top of the Visual Policy Builder, the **Quick apply on bucket(s)** presets populate an entire statement in one click:

| Preset           | What it creates                                                                   |
| ---------------- | --------------------------------------------------------------------------------- |
| **Read only**    | `s3:Get*` and `s3:List*` actions on a selected bucket and its objects             |
| **Read & write** | `s3:Get*`, `s3:List*`, and `s3:Put*` actions on a selected bucket and its objects |
| **Full access**  | All `s3:*` actions on a selected bucket and its objects                           |

Clicking a preset opens a bucket selection modal. Select one or more buckets and confirm - the builder automatically creates the correct ARNs for both bucket-level and object-level resources.

## Working with Statements

A policy is composed of one or more **statements**. Each statement appears as a collapsible card. Use the buttons on the right side of each card to:

* **Move up / Move down** - reorder statements within the policy
* **Duplicate** - copy the statement
* **Clear / Delete** - clears the statement's fields when the policy has a single statement, or deletes the statement when it has more than one

Click **Add Statement** at the bottom of the builder to append a new empty statement.

### Effect

Each statement starts with an **Effect** selector. Choose:

* **Allow** - grant the listed actions on the listed resources
* **Deny** - explicitly block the listed actions, overriding any Allow

### Actions

The **Actions** section lets you choose which S3 or IAM operations the statement covers.

**Filtering by service:** Use the **All / S3 / IAM / STS** tabs to narrow the action list by service.

**Searching:** Type in the search box to filter actions by name or description.

**Action presets:** Click **Presets** to open a menu of predefined action groups, then select one:

| Preset                | Actions included                                             |
| --------------------- | ------------------------------------------------------------ |
| S3 Read Only          | `s3:Get*`, `s3:List*`                                        |
| S3 Read/Write         | `s3:Get*`, `s3:List*`, `s3:Put*`                             |
| S3 Full Access        | `s3:*`                                                       |
| IAM User Management   | IAM actions for creating and managing users                  |
| IAM Group Management  | IAM actions for creating and managing groups                 |
| IAM Policy Management | IAM actions for creating and managing policies               |
| Console UI            | Actions required to use the Impossible Cloud Storage Console |
| IAM Read Only         | Read-only IAM actions                                        |

**Custom actions:** Enter a wildcard pattern such as `s3:Get*` or `iam:*` in the custom action field and press Enter to add it.

{% hint style="info" %}
Use the **Selected only** toggle to filter the action list down to only the actions you have already checked. This makes it easy to review your selection before saving.
{% endhint %}

### Resources

The **Resources** section defines which resources the statement applies to. You can specify resources in two ways:

**Quick templates:** Click a template button to insert a pre-built ARN pattern. The templates are:

* **All resources** (`*`)
* **All S3 resources** (`arn:aws:s3:::*`)
* **All IAM users**, **All IAM groups**, **All IAM policies**
* **Specific bucket** (`arn:aws:s3:::my-bucket`)
* **Bucket objects** (`arn:aws:s3:::my-bucket/*`)
* **Bucket + objects** (both the bucket and its objects)

**Custom ARN:** Enter an ARN directly in the input field and press Enter. Values must be `*`, start with `arn:`, or follow standard ARN syntax.

### Conditions

Conditions are optional restrictions that must be met for the statement to apply. Expand **Conditions (optional)**, then click **Add condition**. Each condition has three parts:

* **Operator** - how the value is evaluated. The visual builder offers `IpAddress` and `NotIpAddress`.
* **Context key** - the key to evaluate, either `aws:SourceIp` or `aws:username`.
* **Value** - one or more values (comma-separated for OR matching)

Example:

* **Restrict by IP address:** Operator `IpAddress`, Context key `aws:SourceIp`, Value `203.0.113.0/24`

The visual builder handles IP-based conditions. For string conditions (such as matching `aws:username` with `StringLike`) or any other operator, switch to the JSON editor.

## Creating a Policy Using the Visual Builder

1. Navigate to the **Policies** tab in the left-pane menu.
2. Click **Add Policy** in the top-right corner.
3. Enter a **Policy name** and an optional **description**.

{% hint style="info" %}
The policy name must consist of alphanumeric characters (upper and lowercase) with no spaces. Once created, the policy name and description cannot be changed.
{% endhint %}

4. Click **Visual** in the mode toggle to switch to the Visual Policy Builder.
5. Configure the first statement:
   * Select an **Effect** (Allow or Deny).
   * Select the **Actions** the statement should cover.
   * Add the **Resources** the statement applies to.
   * Optionally add **Conditions**.
6. Click **Add Statement** to add additional statements if needed.
7. Click **Create Policy** in the top-right corner to save.

## Editing a Policy Using the Visual Builder

1. Navigate to the **Policies** tab in the left-pane menu.
2. Click **Edit** next to the policy you want to modify.
3. Click **Visual** in the mode toggle if the JSON editor is currently active.
4. Edit any statement by updating its Effect, Actions, Resources, or Conditions, or click **Add Statement** to add a new one.
5. Click **Save** in the top-right corner to create a new version.
6. Click on the newly created version and **set it as the default** to activate it.

{% hint style="info" %}
The Storage Console supports a maximum of 5 policy versions. If this limit is reached, you must delete an existing version before saving a new one.
{% endhint %}


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter:

```
GET https://docs.impossiblecloud.com/impossible-cloud-help/security/identity-access-management-iam/managing-policies/visual-policy-builder.md?ask=<question>&goal=<endgoal>
```

`ask` is the immediate question: it should be specific, self-contained, and written in natural language.
`goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal.

The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.
