diff --git a/IAM/README.md b/IAM/README.md
new file mode 100644
index 0000000..a54d003
--- /dev/null
+++ b/IAM/README.md
@@ -0,0 +1,7 @@
+# IAM Policies
+
+Actually those policies are tested on Wasabi S3 account.
+
+## Limitations
+
+* The policy `user_allow_specific_bucket.json` doesn't allow console operations
diff --git a/IAM/user_allow_specific_bucket.json b/IAM/user_allow_specific_bucket.json
new file mode 100644
index 0000000..3c2d4b2
--- /dev/null
+++ b/IAM/user_allow_specific_bucket.json
@@ -0,0 +1,15 @@
+{
+    "Statement": [
+        {
+            "Resource": [
+                "arn:aws:s3:::bucket-name/*",
+                "arn:aws:s3:::bucket-name"
+            ],
+            "Action": [
+                "s3:*"
+            ],
+            "Effect": "Allow"
+        }
+    ],
+    "Version": "2012-10-17"
+}
diff --git a/IAM/user_deny_explicitly_all_excluding_bucket.json b/IAM/user_deny_explicitly_all_excluding_bucket.json
new file mode 100644
index 0000000..32f0456
--- /dev/null
+++ b/IAM/user_deny_explicitly_all_excluding_bucket.json
@@ -0,0 +1,25 @@
+{
+    "Statement": [
+        {
+            "NotResource": [
+                "arn:aws:s3:::bucket-name/*",
+                "arn:aws:s3:::bucket-name"
+            ],
+            "Action": [
+                "s3:ListBucket",
+                "s3:GetBucketLocation",
+                "s3:ListBucketMultipartUploads"
+            ],
+            "Effect": "Deny"
+        },
+        {
+            "NotResource": [
+                "arn:aws:s3:::bucket-name/*",
+                "arn:aws:s3:::bucket-name"
+            ],
+            "Action": "s3:*",
+            "Effect": "Deny"
+        }
+    ],
+    "Version": "2012-10-17"
+}