Menu
AWS Identity and Access Management
User Guide

Tutorial: Create and Attach Your First Customer Managed Policy

In this tutorial, you use the AWS Management Console to create a customer-managed policy and then attach that policy to an IAM user in your AWS account. The policy you create allows an IAM test user to sign in directly to the AWS Management Console with read only permissions.

This workflow has three basic steps:

Step 1: Create the Policy

By default, IAM users do not have permissions to do anything. They cannot access the AWS Management Console or manage the data within unless you allow it. In this step, you create a customer managed policy that allows any attached user to sign-in to the console.

Step 2: Attach the Policy

When you attach a policy to a user, the user inherits all of the access permissions that are associated with that policy. In this step, you attach the new policy to a test user account.

Step 3: Test User Access

Once the policy is attached, you can sign in as the user and test the policy.

Prerequisites

To perform the steps in this tutorial, you need to already have the following:

  • An AWS account that you can sign in to as an IAM user with administrative permissions.

  • A test IAM user that has no permissions assigned or group memberships as follows:

    User Name Group Permissions
    PolicyUser <none> <none>

Step 1: Create the Policy

In this step, you create a customer managed policy that allows any attached user to sign in to the AWS Management Console with read-only access to IAM data.

To create the policy for your test user

  1. Sign in to the IAM console at https://console.aws.amazon.com/iam/ with your user that has administrator permissions.

  2. In the navigation pane, choose Policies.

  3. In the content pane, choose Create Policy.

  4. Next to Create Your Own Policy, choose Select.

  5. For Policy Name, type UsersReadOnlyAccessToIAMConsole.

  6. For Policy Document, paste the following policy.

    Copy
    { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "iam:GenerateCredentialReport", "iam:Get*", "iam:List*" ], "Resource": "*" } ] }
  7. Choose Validate Policy and ensure that no errors display in a red box at the top of the screen. Correct any that are reported.

    Note

    If Use autoformatting for policy editing is selected, the policy is reformatted whenever you open a policy or choose Validate Policy.

  8. Choose Create Policy.

You now have a policy ready to attach.

Step 2: Attach the Policy

Next you attach the policy you just created to your test IAM user.

To attach the policy to your test user

  1. In the IAM console, in the navigation pane, choose Policies.

  2. At the top of the policy list, in the search box, start typing UsersReadOnlyAccesstoIAMConsole until you can see your policy, and then check the box next to UsersReadOnlyAccessToIAMConsole in the list.

  3. Choose the Policy actions button, and then chose Attach.

  4. For Filter, choose Users.

  5. In the search box, start typing PolicyUser until that user is visible on the list, and then check the box next to that user in the list.

  6. Choose Attach Policy.

You have attached the policy to your IAM test user, which means that user now has read-only access to the IAM console.

Step 3: Test User Access

For this tutorial, we recommend that you test access by signing in as the test user so you can observe the results and see what your users might experience.

To test access by signing in with your test user account

  1. Sign in to the IAM console at https://console.aws.amazon.com/iam/ with your PolicyUser test user.

  2. Browse through the pages of the console and try to create a new user or group. Notice that PolicyUser can display data but cannot create or modify existing IAM data.

Related Resources

For related information in the IAM User Guide, see the following resources:

Summary

You’ve now successfully completed all of the steps necessary to create and attach a customer managed policy. As a result, you are able to sign in to the IAM console with your test account and have seen firsthand what the experience would be like for your users.