AWS CloudFormation
User Guide (API Version 2010-05-15)
« PreviousNext »
View the PDF for this guide.Go to the AWS Discussion Forum for this product.Go to the Kindle Store to download this guide in Kindle format.Did this page help you?  Yes | No |  Tell us about it...

AWS::IAM::Policy

The AWS::IAM::Policy type applies an Identity and Access Management (IAM) policy to users or groups. For more information about IAM policies, see Overview of Policies in the AWS Identity and Access Management User Guide.

This type supports updates. For more information about updating stacks, see AWS CloudFormation Stacks Updates.

Syntax

{
   "Type": "AWS::IAM::Policy",
   "Properties": {
      "Groups" : [ String, ... ],
      "PolicyDocument" : JSON,
      "PolicyName" : String,
      "Roles" : [ String, ...
      "Users" : [ String, ... ],
   }
}     

Properties

Groups

The names of groups to which you want to add the policy.

Required: Conditional

Type: A list of strings

Update requires: no interruption

PolicyDocument

A policy document that contains permissions to add to the specified users or groups.

Required: Yes

Type: JSON object

Update requires: no interruption

PolicyName

The name of the policy.

Required: Yes

Type: String

Update requires: no interruption

Roles

The names of AWS::IAM::Roles to attach to this policy.

Required: No

Type: A list of strings

Update requires: no interruption

Users

The names of users for whom you want to add the policy.

Required: Conditional

Type: A list of strings

Update requires: no interruption

Return Values

Ref

When the logical ID of this resource is provided to the Ref intrinsic function, it returns the resource name.

For more information about using the Ref function, see Ref.

Examples

IAM Policy with policy group

{
   "Type" : "AWS::IAM::Policy",
   "Properties" : {
      "PolicyName" : "CFNUsers",
      "PolicyDocument" : {
         "Version" : "2012-10-17",
         "Statement": [ {
         "Effect"   : "Allow",
         "Action"   : [
            "cloudformation:Describe*",
            "cloudformation:List*",
            "cloudformation:Get*"
         ],
         "Resource" : "*"
         } ]
      },
      "Groups" : [ { "Ref" : "CFNUserGroup" } ]
   }
}        

This snippet is from IAM_Users_Groups_and_Policies.template

IAM Policy with specified role

{
   "Type": "AWS::IAM::Policy",
   "Properties": {
      "PolicyName": "root",
      "PolicyDocument": {
         "Version" : "2012-10-17",
         "Statement": [
            { "Effect": "Allow", "Action": "*", "Resource": "*" }
         ]
      },
      "Roles": [ { "Ref": "RootRole" } ]
   }
}        

This snippet is from auto_scaling_with_instance_profile.template.

To view more AWS::IAM::Policy snippets, see Declaring an IAM Policy.