AWS Identity and Access Management
Using IAM (API Version 2010-05-08)
Did this page help you?  Yes | No |  Tell us about it...
« PreviousNext »
View the PDF for this guide.Go to the AWS Discussion Forum for this product.Go to the Kindle Store to download this guide in Kindle format.

Permissions and Policies

When you use your account's root credentials, you can access all the resources in your AWS account. In contrast, when you create IAM users, IAM groups, or IAM roles, you must explicitly give permissions to these entities so that users can access your AWS resources.

This section describes permissions, which are rights that you grant to a user, group, or role that define what tasks users are allowed to perform in your AWS account. To define permissions, you use policies, which are documents in JSON format.

To learn more, we recommend you read the following sections:

  • Overview of AWS IAM Permissions — This section discusses types of permissions, how to grant them, and how to manage permissions.

  • Overview of AWS IAM Policies — This section discusses how to specify what actions are allowed, which resources to allow the actions on, and what the effect will be when the user requests access to the resources.

  • Managing IAM Policies — This section describes how to create and manage policies by using the AWS Management Console, the AWS CLI, and the IAM API.

  • Testing IAM Policies — This section describes how to test user and group policies using the IAM Policy Simulator.

  • Using Policy Validator — This section describes how to use the Policy Validator when you have policies that do not comply with the AWS policy grammar.

  • AWS IAM Policy Reference — This section describes the elements, variables, and evaluation logic used in policies.

  • Example Policies for Administering IAM Resources — This section lists policies that let users perform tasks specific to IAM, like administer users, groups, and credentials.

  • Example Policies for Administering AWS Resources — This section lists policies that let users perform tasks with other AWS services, like Amazon S3, Amazon EC2, and DynamoDB.