Menu
AWS Identity and Access Management
User Guide

Creating a New Policy

You have several ways to create a new IAM permission policy. You can copy a complete AWS managed policy that already does some of what you're looking for and then customize it to your specific requirements. Alternatively, you can construct the policy by selecting actions and conditions from lists in the policy generator to build the statements into a policy for you. Or you can create a policy from scratch by writing the JSON code.

A policy consists of one or more statements. Each statement generally contains all the actions that share the same effect (Allow or Deny) and the same resources. If one action requires "*" for the resource, and another action specifies the ARN of a specific resource, then they must be in two separate statements.

For general information about IAM policies, see Overview of IAM Policies. For information about the IAM policy language, see AWS IAM Policy Reference.

Create a Policy

No matter which option you choose, they all start the same way:

To start creating a new policy

  1. Sign in to the IAM console at https://console.aws.amazon.com/iam/.

  2. In the navigation column on the left, choose Policies.

    If this is your first time choosing Policies, the Welcome to Managed Policies page appears. Choose Get Started.

  3. At the top of the page, choose Create Policy.

  4. On the Create Policy page choose Select for one of the following options. Then follow the steps in the selected procedure:

Copy an Existing Managed Policy

An easy way to create a new policy is to start with a copy of a policy that has at least some of the needed functionality already in it. You can then customize the policy to match it to your new requirements.

To create a copy of an existing policy

  1. Start the Create Policy wizard by following the steps in Create a Policy. Then choose Select for Copy an AWS Managed Policy.

  2. On the Copy an AWS Managed Policy page, choose Select for the managed policy that most closely approximates the policy you want to create. Type in the search box at the top to limit the list to your search terms.

  3. On the Review Policy page, edit the Policy Name, Description (optional), and the Policy Document information so that they meet your new requirements. Choose Create Policy to save your work.

Construct a Policy with the Policy Generator

The policy generator can create a policy without you having to write JSON syntax.

To use the policy generator to create a policy

  1. Start the Create Policy wizard by following the steps in Create a Policy. Then choose Select for Policy Generator.

  2. On the Edit Permissions page, for Effect, choose Allow or Deny. Because we deny by default, we recommend as a security best practice that you allow permissions to only those actions and resources that a user needs access to. This is sometime called "whitelisting". You need to create a statement with an explicit Deny ("blacklisting") only if you want to override a permission separately allowed by another statement or policy. We recommend that you limit the number of explicit Deny statements to a minimum because they can increase the difficulty of troubleshooting permissions.

  3. Select the AWS service whose actions you want to allow or deny from the list.

  4. Choose the actions that you want to allow or deny. The list shows actions for the service that you selected in the step 2. You can specify All Actions or specify individual actions by selecting the box next to each action name. When you are done selecting actions, click outside of the list to close it. The list shows how many actions you selected.

  5. Type the resource you want to allow or deny access to. Some operations allow only "Resource":"*" while others allow you to specify the Amazon Resource Name (ARN) of individual resources. You can include an asterisk (*) as a wildcard in any field of the ARN (between each pair of colons). Or simply specify an asterisk by itself to mean "any resource in the account." For example, arn:aws:s3:::* represents all S3 buckets in the same account as the policy. For more information, see Resource.

  6. (Optional) You can add Condition elements to limit a statement's effect. For example, you can specify that a user is allowed to perform the actions on the resources only when that user's request happens within a certain time range, or is authenticated with a multi-factor authentication device, or originates from within a certain range of IP addresses. For lists of all of the context keys you can use in the Condition element, see AWS Service Actions and Condition Context Keys for Use in IAM Policies. To begin, click Add Conditions (optional).

    1. For Condition choose the type of comparison that you want to perform.

    2. For Key choose the context key whose value you want to evaluate when a user makes a request.

    3. For Value type the value that you want to compare to the specified key.

    4. Choose Add Condition to add this completed condition to the current statement. To add another condition, modify the settings and choose Add Condition again. Repeat as needed. Each condition applies only to this one statement. All the conditions must be true for the permission statement to be considered a match. You can consider the conditions as being connected by a logical "AND" element.

      For more information about the Condition element, see Condition in the AWS IAM Policy Reference.

  7. When you have completed all of the fields needed for this statement, choose Add Statement. If you need to add more statements to the policy, repeat the preceding steps. Any time you need to change the effect or change the affected resources, you must create a new statement.

  8. After you have added all of the statements that you need, choose Next Step to see your statements in the policy editor. If you want to make changes, you can manually edit the policy further. Edit and save the policy using the steps shown in the following procedure.

Edit a Policy Using the Policy Editor

You can also use the policy editor to create a new policy.

To create a new policy in the policy editor

  1. Start the Create Policy wizard by following the steps in Create a Policy. Then choose Select for Create Your Own Policy.

  2. For Policy Name, type a unique name that helps you to remember what your policy is intended to do.

  3. (Optional) For Description, type an explanation for future reference.

  4. For Policy Document, add or edit policy statements. For details about the IAM policy language, see AWS IAM Policy Reference.

  5. You can choose Validate Policy any time during editing to ensure that the policy is syntactically correct. You can save the policy only if the syntax is correct.

    Note

    The policy validator only checks the JSON policy syntax and grammar. It does not validate that your ARNs, action names, or condition keys are correct.

  6. When you are done with the policy, choose Create Policy to save your completed policy.

  7. After you create a policy, you can apply it by attaching it to your users, groups, or roles. For more information, see Attaching Managed Policies