Menu
AWS Identity and Access Management
User Guide

Working with Managed Policies

This section describes how to work with AWS managed policies, and how to create and work with customer managed policies, that is, managed policies that you create yourself. You can manage and create managed policies using the AWS Management Console, the AWS Command Line Interface (AWS CLI), or the IAM API.

For more information about the different types of IAM policies, see Managed Policies and Inline Policies.

For general information about IAM policies, see Overview of IAM Policies.

For information about policy size limitations and other quotas, see Limitations on IAM Entities and Objects.

Working with Managed Policies Using the AWS Management Console

This section describes how to manage managed policies using the AWS Management Console.

For information about managing managed policies using the AWS Command Line Interface (AWS CLI) or the IAM API, see Working with Managed Policies Using the AWS CLI or the IAM API.

Attaching Managed Policies

You can attach a managed policy to a principal entity (a user, group, or role) to apply the permissions in the policy to the principal entity. You can attach up to 10 managed policies to each principal entity.

To attach a managed policy using the AWS Management Console

  1. Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/.

  2. In the navigation pane, choose Policies.

  3. In the list of policies, select the check box next to the name of the policy to attach. You can use the Filter menu and the search box to filter the list of policies.

  4. Choose Policy actions, and then choose Attach.

  5. Select the principal entities to attach the policy to. You can use the Filter menu and the search box to filter the list of principal entities. After selecting the principal entities to attach the policy to, choose Attach policy.

Detaching Managed Policies

You can detach a managed policy from a principal entity (a user, group, or role) to remove the permissions in the policy from the principal entity.

To detach a managed policy using the AWS Management Console

  1. Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/.

  2. In the navigation pane, choose Policies.

  3. In the list of policies, select the check box next to the name of the policy to detach. You can use the Filter menu and the search box to filter the list of policies.

  4. Choose Policy actions, and then choose Detach.

  5. Select the principal entities to detach the policy from. You can use the Filter menu and the search box to filter the list of principal entities. After selecting the principal entities to detach the policy from, choose Detach policy.

Creating Customer Managed Policies

You can create customer managed policies to define sets of permissions to attach to principal entities (users, groups, and roles) in your AWS account. For more information about customer managed policies, see Managed Policies and Inline Policies

To create a managed policy using the AWS Management Console

  1. Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/.

  2. In the navigation pane, choose Policies, and then choose Create Policy.

  3. Choose the Select button that corresponds to the way that you want to create your policy.

    • Copy an AWS Managed Policy. See a list of all existing policies and then choose Select next to the one you want to copy.

    • Policy Generator. Build a policy by selecting elements from lists of available options. Select the appropriate Effect, AWS Service, and Actions options, enter the Amazon Resource Name ARN (if applicable), and add any conditions you want to include. Then choose Add Statement. You can add as many statements as you want to the policy. When you are finished adding statements, choose Next Step.

    • Create Your Own Policy. Type a Policy Name in the space provided. For Policy Document, type or paste a policy document into the editor.

  4. In the editor, make any customizations that you need to tailor the policy to your environment.

  5. After you complete your changes, choose Validate Policy and ensure that no errors display in a red box at the top of the screen. Correct any errors that are reported.

    Note

    If Use autoformatting for policy editing is selected, the policy is reformatted whenever you open a policy or choose Validate Policy.

  6. Choose Create Policy to save your new policy.

Editing Customer Managed Policies

You edit customer managed policies to change the permissions that are defined in the policy. You cannot edit AWS managed policies.

A managed policy can have up to five versions. If you need to make changes to a managed policy beyond five versions, then the AWS Management Console prompts you to decide which version to delete.

To edit a customer managed policy using the AWS Management Console

  1. Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/.

  2. In the navigation pane, choose Policies.

  3. In the list of policies, choose the policy name of the policy to edit. You can use the Filter menu and the search box to filter the list of policies.

  4. Choose the Permissions tab, choose Edit policy, and then edit the policy document.

  5. After you complete your changes, choose Validate policy and ensure that no errors appear in a red box at the top of the screen. Correct any that are reported.

    Note

    If Use autoformatting for policy editing is selected, then the policy is reformatted whenever you open a policy or choose Validate policy.

  6. When you are finished editing the policy, decide whether you want to immediately apply your changes to all principal entities (users, groups, and roles) that this policy is attached to:

    • To immediately apply your changes to all attached entities, select Save as default version.

    • To save your changes without affecting the currently attached entities, clear the check box for Save as default version.

  7. Choose Save.

  8. If the managed policy already has the maximum of five versions, then choosing Save displays a dialog box. To save your new version, you must remove at least one older version. You cannot delete the default version. Choose from the following options:

    • Remove oldest non-default policy version (version v# - created # days ago) - Use this option to see which version will be deleted and when it was created. You can view the JSON policy document for all nondefault versions by choosing the second option, Select versions to remove.

    • Select versions to remove - Use this option to view the JSON policy document and choose one or more versions to delete.

    After choosing the versions to remove, choose Delete version and save to save your new policy version.

Setting the Default Version of Customer Managed Policies

You can specify the default version of a customer managed policy to make that version the one that is in effect for every principal entity (user, group, and role) that the policy is attached to. You cannot set the default version for an AWS managed policy.

You can set the default version of a customer managed policy when you edit the policy. To set the default version while editing the policy, see Editing Customer Managed Policies. To set the default version of a customer managed policy independently of editing the policy, see the following procedure.

To set the default version of a customer managed policy using the AWS Management Console

  1. Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/.

  2. In the navigation pane, choose Policies.

  3. In the list of policies, choose the policy name of the policy to set the default version of. You can use the Filter menu and the search box to filter the list of policies.

  4. Choose the Policy versions tab. Select the check box next to the version that you want to set as the default version, and then choose Set as default.

Deleting Versions of Customer Managed Policies

You can delete a version of a customer managed policy to ensure that version can never be set as the default version of the policy. That is, to ensure that version can never be attached to any entities (users, groups, and roles) in your AWS account. You cannot delete versions of AWS managed policies.

To delete a version of a customer managed policy using the AWS Management Console

  1. Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/.

  2. In the navigation pane, choose Policies.

  3. Choose the name of the customer managed policy that has a version you want to delete. You can use the Filter menu and the search box to filter the list of policies.

  4. Choose the Policy versions tab. Select the check box next to the version that you want to delete. Then choose Delete.

  5. Confirm that you want to delete the version, and then choose Delete.

Deleting Customer Managed Policies

You can delete a customer managed policy to remove it from your AWS account. You cannot delete AWS managed policies.

To delete a customer managed policy using the AWS Management Console

  1. Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/.

  2. In the navigation pane, choose Policies.

  3. Select the check box next to the customer managed policy to delete. You can use the Filter menu and the search box to filter the list of policies.

  4. Choose Policy actions, and then choose Delete.

  5. Confirm that you want to delete the policy, and then choose Delete.

Working with Managed Policies Using the AWS CLI or the IAM API

This section describes how to manage managed policies using the AWS Command Line Interface (AWS CLI) or the IAM API. Information in this section applies to both AWS managed policies and customer managed policies, that is, managed policies that you create.

For information about managing managed policies using the AWS Management Console, see Working with Managed Policies Using the AWS Management Console.

To list managed policies

To retrieve detailed information about a managed policy

To list the versions of a managed policy

To retrieve detailed information about a version of a managed policy, including the policy document

To list the principal entities (users, groups, and roles) attached to a managed policy

To list the managed policies attached to a principal entity (a user, group, or role)

To attach a managed policy to a group, role, or user

To detach a managed policy from a group, role, or user

To create a customer managed policy

To edit a customer managed policy

A managed policy can have up to five versions. If you need to make changes to a managed policy beyond five versions from the AWS Command Line Interface, or the IAM API, you must first delete one or more existing versions.

To set the default version of a customer managed policy

To delete a version of a customer managed policy

To delete a customer managed policy