Creating a New Policy
You have several ways to create a new IAM permission policy. You can copy a complete AWS managed policy that already does some of what you're looking for and then customize it to your specific requirements. You can alternatively construct the policy by selecting actions and conditions from lists in the policy generator to build the statements into a policy for you, or you can create a policy from scratch by writing the JSON code.
A policy consists of one or more statements. Each statement generally contains all the
actions that share the same effect (
Deny) and the same
resources. If one action requires "*" for the resource, and another action specifies the ARN of
a specific resource, then they must be in two separate statements.
Create a policy
No matter which option you choose, they all start the same way:
To start creating a new policy
Sign in to the IAM console at https://console.aws.amazon.com/iam/.
In the navigation column on the left, choose Policies.
If this is your first time choosing Policies, the Welcome to Managed Policies page appears. Choose Get Started.
At the top of the page, choose Create Policy.
On the Create Policy page choose Select for one of the following options. Then follow the steps in the selected procedure:
Copy an AWS Managed Policy — Copies an existing managed policy and enables you to customize the copy for its new purpose.
Policy Generator — Creates a policy by letting you select items from lists.
Create Your Own Policy — Opens the policy editor with a blank policy that you can type or copy and paste into.
Copy an existing managed policy
An easy way to create a new policy is to start with a copy of a policy that has at least some of the needed functionality already in it. You can then customize the policy to match it to your new requirements. Start by following the steps in the preceding procedure, Create a policy.
To create a copy of an existing policy
On the Copy an AWS Managed Policy page, choose Select for the managed policy that most closely approximates the policy you want to create. You can filter the list by typing in the Search Policies box at the top of the page.
On the Review Policy page, enter a Policy Name and Description (optional), and edit the policy in the Policy Document box so that it meets your new requirements. Choose Create Policy when you are ready to save.
Construct a policy with the policy generator
The policy generator can create a policy without you having to write JSON syntax. Start by following the steps in the procedure Create a policy at the top of this page.
To use the policy generator to create a policy
On the Edit Permissions page, for Effect, choose Allow or Deny. Because we deny by default, we recommend as a security best practice that you allow permissions to only those actions and resources that a user needs access to. This is sometime called "whitelisting". You only need to create a statement with an explicit Deny ("blacklisting") only if you want to override a permission separately allowed by another statement or policy. We recommend that you limit the number of explicit Deny statements to a minimum because they can increase the difficulty of troubleshooting permissions.
Select the AWS service whose actions you want to allow or deny from the list.
Choose the actions that you want to allow or deny. The list shows actions for the service that you selected in the step 2. You can specify All Actions or specify individual actions by selecting the box next to each action name. When you are done selecting actions, click outside of the list to close it. The list shows how many actions you selected.
Type the resource you want to allow or deny access to. Some operations allow only "Resource":"*" while other allow you to specify the Amazon Resource Name (ARN) of individual resources. You can include an asterisk (*) as a wildcard in any field of the ARN (between each pair of colons), or simply specify an asterisk by itself to mean "any resource in the account." For example,
arn:aws:s3:::*represents all S3 buckets in the same account as the policy. For more information, see Resource.
You can add Condition elements to limit a statement's effect. For example, you can specify that a user is allowed to perform the actions on the resources only when that user's request happens within a certain time range, or is authenticated with a multi-factor authentication device, or originates from within a certain range of IP addresses. For lists of all of the context keys you can use in the
Conditionelement, see AWS Service Actions and Condition Context Keys for Use in IAM Policies. To begin, click Add Conditions (optional).
For Condition choose the type of comparison that you want to perform.
For Key choose the context key whose value you want to evaluate when a user makes a request.
For Value type the value you want to compare to the specified key.
Choose Add Condition to add this completed condition to the current statement. To add another condition, modify the settings and choose Add Condition again. Repeat as needed. Each condition applies only to this one statement. All the conditions must be true for the permission statement to be considered a match. You can consider the conditions as being connected by a logical 'AND' element.
When you have completed all of the fields needed for this statement, choose Add Statement. If you need to add more statements to the policy, repeat the preceding steps. Any time you need to change the effect or change the affected resources, you must create a new statement.
After you have added all of the statements that you need, choose Next Step to see your statements in the policy editor. If you want to make changes, you can manually edit the policy further. Edit and save the policy using the steps shown in the following procedure.
Edit a policy using the policy editor
You can also use the policy editor to create a new policy. Start by following the steps in the procedure Create a policy at the top of the page.
To create a new policy in the policy editor
For Policy Name, type a unique name that helps you to remember what your policy is intended to do.
(Optional) For Description, type an explanation for future reference.
For Policy Document, add or edit policy statements. For details about the IAM policy language, see AWS IAM Policy Reference.
You can choose Validate Policy any time during editing to ensure the policy is syntactically correct. You can save the policy only if the syntax is correct.
The policy validator only checks the JSON policy syntax and grammar. It does not validate that your ARNs, action names, or condition keys are correct.
When you are done with the policy, choose Create Policy to save your completed policy.
After you create a policy, you can apply it by attaching it to your users, groups, or roles. For more information, see Attaching Managed Policies