Connect AWS in 3 simple steps

You will create a permission policy, run the IAM “create role” wizard (trust policy, attach that policy, name the role), then paste your role ARN here. No AWS expert knowledge required—just follow the steps in order.

Want the same flow with AWS Console screenshots? See the detailed screenshot guide.

First, create a permission policy. It tells AWS which actions are allowed for this app—S3 storage by default, plus optional EC2 and SSM blocks if you enable them below.

Optional features

S3 permissions are always included. Check what you need — the JSON policy updates automatically.

EC2 instance managementList instances and run start, stop, and reboot. Adds EC2 describe + start/stop/reboot actions to the assumable-role policy below.SSM terminal commands (optional)Enable EC2 above first — terminal commands run on EC2 instances through SSM.

Open the AWS console and go to IAM → Policies.
Click Create policy.
Open the JSON tab.
Delete any sample text, then paste the policy below.
Click Next. On the review screen, enter a policy name. A good default is below—click it to copy; you will paste or type the same name when searching for the policy in Step 2. A toast will say Copied when it works.
(You can use a different name—just use it consistently.)
Then click Create policy.

You will attach this policy when you create the role in Step 2—remember the name you chose.

Open IAM Policies in AWS

Includes: S3 buckets, objects, copy/rename, versioning, bucket policy. Attach this policy to the IAM role you connect in Step 3 (not to individual EC2 instances).

Assumable role policy JSON — S3 only (paste in IAM)

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "BucketListAndCreate",
      "Effect": "Allow",
      "Action": [
        "s3:ListAllMyBuckets",
        "s3:CreateBucket"
      ],
      "Resource": "*"
    },
    {
      "Sid": "BucketConfigAndCors",
      "Effect": "Allow",
      "Action": [
        "s3:ListBucket",
        "s3:GetBucketLocation",
        "s3:GetBucketCors",
        "s3:PutBucketCors",
        "s3:GetBucketPublicAccessBlock",
        "s3:PutBucketPublicAccessBlock"
      ],
      "Resource": "arn:aws:s3:::*"
    },
    {
      "Sid": "ObjectReadWriteDelete",
      "Effect": "Allow",
      "Action": [
        "s3:GetObject",
        "s3:PutObject",
        "s3:DeleteObject"
      ],
      "Resource": "arn:aws:s3:::*/*"
    },
    {
      "Sid": "S3BucketDeletion",
      "Effect": "Allow",
      "Action": [
        "s3:DeleteBucket"
      ],
      "Resource": "arn:aws:s3:::*"
    },
    {
      "Sid": "S3BucketPolicy",
      "Effect": "Allow",
      "Action": [
        "s3:GetBucketPolicy",
        "s3:PutBucketPolicy",
        "s3:DeleteBucketPolicy"
      ],
      "Resource": "arn:aws:s3:::*"
    },
    {
      "Sid": "S3ObjectVersioning",
      "Effect": "Allow",
      "Action": [
        "s3:ListBucketVersions",
        "s3:GetBucketVersioning",
        "s3:PutBucketVersioning"
      ],
      "Resource": "arn:aws:s3:::*"
    },
    {
      "Sid": "S3MultipartUpload",
      "Effect": "Allow",
      "Action": [
        "s3:AbortMultipartUpload",
        "s3:ListBucketMultipartUploads"
      ],
      "Resource": [
        "arn:aws:s3:::*",
        "arn:aws:s3:::*/*"
      ]
    }
  ]
}

What's next?

Sign in when you are ready to verify your role in Step 3. Until then, you can still build the policy and role in AWS using Steps 1–2.

Having trouble?

Short answers to common setup problems.