Menu
AWS Identity and Access Management
User Guide

Controlling Access to Managed Policies

Managed policies give you precise control over how your users can manage policies and manage permissions for others. You can separately control who can create, update, and delete policies, and who can attach and detach policies to and from principal entities (users, groups, and roles). You can also control which policies a user can attach or detach, and to and from which entities.

A typical scenario is that you give permissions to an account administrator to create, update, and delete policies. Then, you give permissions to a team leader or other limited administrator to attach and detach these policies to and from principal entities that the limited administrator manages.

Controlling Permissions for Creating, Updating, and Deleting Customer Managed Policies

You can use IAM policies to control who is allowed to create, update, and delete customer managed policies in your AWS account. The following list contains APIs that pertain directly to creating, updating, and deleting policies or policy versions:

The APIs in the preceding list correspond to actions that you can allow or deny—that is, permissions that you can grant—using an IAM policy.

The following example shows a policy that allows a user to create, update (that is, create a new policy version), delete, and set a default version for all customer managed policies in the AWS account. The example policy also allows the user to list policies and get policies.

Example policy that allows creating, updating, deleting, listing, getting, and setting the default version for all policies

Copy to clipboard
{ "Version": "2012-10-17", "Statement": { "Effect": "Allow", "Action": [ "iam:CreatePolicy", "iam:CreatePolicyVersion", "iam:DeletePolicy", "iam:DeletePolicyVersion", "iam:GetPolicy", "iam:GetPolicyVersion", "iam:ListPolicies", "iam:ListPolicyVersions", "iam:SetDefaultPolicyVersion" ], "Resource": "*" } }

You can create policies that limit the use of these APIs to affect only the managed policies that you specify. For example, you might want to allow a user to set the default version and delete policy versions, but only for specific customer managed policies. You do this by specifying the policy ARN in the Resource element of the policy that grants these permissions.

The following example shows a policy that allows a user to delete policy versions and set the default version, but only for the customer managed policies that include the path /TEAM-A/. The customer managed policy ARN is specified in the Resource element of the policy (in this example the ARN includes a path and a wildcard and thus matches all customer managed policies that include the path /TEAM-A/).

For more information about using paths in the names of customer managed policies, see Friendly Names and Paths.

Example policy that allows deleting policy versions and setting the default version for only specific policies

Copy to clipboard
{ "Version": "2012-10-17", "Statement": { "Effect": "Allow", "Action": [ "iam:DeletePolicyVersion", "iam:SetDefaultPolicyVersion" ], "Resource": "arn:aws:iam::ACCOUNT-ID-WITHOUT-HYPHENS:policy/TEAM-A/*" } }

Controlling Permissions for Attaching and Detaching Managed Policies

You can also use IAM policies to allow users to work with only specific managed policies—in effect, you can control which permissions a user is allowed to grant to other principal entities.

The following list shows APIs that pertain directly to attaching and detaching managed policies to and from principal entities:

You can create policies that limit the use of these APIs to affect only the specific managed policies and/or principal entities that you specify. For example, you might want to allow a user to attach managed policies, but only the managed policies that you specify. Or, you might want to allow a user to attach managed policies, but only to the principal entities that you specify.

The following example policy allows a user to attach managed policies to only the groups and roles that include the path /TEAM-A/. The group and role ARNs are specified in the Resource element of the policy (in this example the ARNs include a path and a wildcard and thus match all groups and roles that include the path /TEAM-A/).

Example policy that allows attaching managed policies to only specific groups or roles

Copy to clipboard
{ "Version": "2012-10-17", "Statement": { "Effect": "Allow", "Action": [ "iam:AttachGroupPolicy", "iam:AttachRolePolicy" ], "Resource": [ "arn:aws:iam::ACCOUNT-ID-WITHOUT-HYPHENS:group/TEAM-A/*", "arn:aws:iam::ACCOUNT-ID-WITHOUT-HYPHENS:role/TEAM-A/*" ] } }

You can further limit the actions in the preceding example to affect only specific policies—that is, you can control which permissions a user is allowed to attach to other principal entities—by adding a condition to the policy.

In the following example, the condition ensures that the AttachGroupPolicy and AttachRolePolicy permissions are allowed only when the policy being attached matches one of the specified policies. The condition uses the iam:PolicyArn condition key to determine which policy or policies are allowed to be attached. The following example policy expands on the previous example by allowing a user to attach only the managed policies that include the path /TEAM-A/ to only the groups and roles that include the path /TEAM-A/.

Example policy that allows attaching only specific managed policies to only specific groups or roles

Copy to clipboard
{ "Version": "2012-10-17", "Statement": { "Effect": "Allow", "Action": [ "iam:AttachGroupPolicy", "iam:AttachRolePolicy" ], "Resource": [ "arn:aws:iam::ACCOUNT-ID-WITHOUT-HYPHENS:group/TEAM-A/*", "arn:aws:iam::ACCOUNT-ID-WITHOUT-HYPHENS:role/TEAM-A/*" ], "Condition": {"ArnLike": {"iam:PolicyArn": "arn:aws:iam::ACCOUNT-ID-WITHOUT-HYPHENS:policy/TEAM-A/*"} } } }

Specifying the Amazon Resource Name (ARN) for Managed Policies

To control access to specific managed policies, you use the Amazon Resource Name (ARN) of the managed policy. In some cases you use the ARN of the managed policy in the Resource element of a policy, and in other cases you use the ARN of the managed policy in the Condition element of a policy.

The following sections explain when to use each.

Using the Resource Element to Control Access to Actions That Affect the Managed Policy

To control access to specific managed policies for actions that affect the managed policy, you specify the ARN of the managed policy in the Resource element of a policy.

The following list contains IAM actions (APIs) that affect a managed policy:

You can limit the use of these actions to affect only the managed policies that you specify. You do this by specifying the policy ARN in the Resource element of the policy that grants these permissions. For example, to specify the ARN of a customer managed policy:
Copy to clipboard
"Resource": "arn:aws:iam::123456789012:policy/POLICY-NAME"
You can also specify the ARN of an AWS managed policy in a policy's Resource element. The ARN of an AWS managed policy uses the special alias aws in the policy ARN instead of an account ID, as in this example:
Copy to clipboard
"Resource": "arn:aws:iam::aws:policy/AmazonEC2FullAccess"

Using the Condition Element to Control Access to Actions That Affect the Principal Entity (User, Group, or Role)

To control access to specific managed policies for actions that involve a managed policy but that affect a principal entity (user, group, or role), you specify the ARN of the managed policy in the Condition element of a policy. In this case, the Resource element of a policy is used to specify the ARN of the principal entity that is affected.

The following list contains IAM actions (APIs) that involve a managed policy but that affect a principal entity:

You can limit the use of these actions to involve only the managed policies that you specify. You do this by specifying the policy ARN in the Condition element of the policy that grants these permissions. For example, to specify the ARN of a customer managed policy:
Copy to clipboard
"Condition": {"ArnEquals": {"iam:PolicyArn": "arn:aws:iam::123456789012:policy/POLICY-NAME"} }
You can also specify the ARN of an AWS managed policy in a policy's Condition element. The ARN of an AWS managed policy uses the special alias aws in the policy ARN instead of an account ID, as in this example:
Copy to clipboard
"Condition": {"ArnEquals": {"iam:PolicyArn": "arn:aws:iam::aws:policy/AmazonEC2FullAccess"} }
You can use the ArnLike or ArnEquals condition types. For more information about ArnLike and ArnEquals, see Amazon Resource Name (ARN) Condition Operators in the Condition Types section of the Policy Element Reference.