Menu
AWS Identity and Access Management
User Guide

AWS Managed Policies for Job Functions

AWS managed policies for job functions are designed to closely align to common job functions in the IT industry. You can use these policies to easily grant the permissions needed to carry out the tasks expected of someone in a specific job function. These policies consolidate permissions for many services into a single policy that's easier to work with than having permissions scattered across many policies.

You can attach these polices for job functions to any group, user, or role.

Use Roles to Combine Services

Some of the policies use IAM service roles to help you take advantage of features found in other AWS services. These policies grant access to iam:passrole, which allows a user with the policy to pass a role to an AWS service. This role delegates IAM permissions to the AWS service to carry out actions on your behalf.

You must create the roles according to your needs. For example, the Network Administrator policy allows a user with the policy to pass a role named "flow-logs-vpc" to the Amazon CloudWatch service. CloudWatch uses that role to log and capture IP traffic for VPCs created by the user.

To follow security best practices, the policies for job functions include filters that limit the names of valid roles that can be passed. This helps avoid granting unnecessary permissions. If your users do require the optional service roles, you must create a role that follows the naming convention specified in the policy. You then grant permissions to the role. Once that is done, the user can configure the service to use the role, granting it whatever permissions the role provides.

Keep Up to Date

These policies are all maintained by AWS and are kept up to date to include support for new services and new capabilities as they are added by AWS. These policies cannot be modified by customers. You can make a copy of the policy and then modify the copy, but that copy will not be automatically updated as AWS introduces new services and APIs.

Job Functions

In the following sections, each policy's name is a link to the policy details page in the AWS Management Console. There you can see the policy document and review the permissions it grants.

Administrator

AWS managed policy name: AdministratorAccess

Use case: This user has full access and can delegate permissions to every service and resource in AWS.

Policy description: This policy grants all actions for all AWS services and for all resources in the account.

Billing

AWS managed policy name: Billing

Use case: This user needs to view billing information, set up payment, and authorize payment. The user can monitor the costs accumulated for each AWS service.

Policy description: This policy grants permissions for managing billing and costs. The permissions include viewing and modifying both budgets and payment methods.

Note

Before an IAM user can access the AWS Billing and Cost Management console with this policy, you must first enable Billing and Cost Management console access for the account. To do this, follow the instructions in Step 1 of the tutorial about delegating access to the billing console.

Database Administrator

AWS managed policy name: DatabaseAdministrator

Use case: This user sets up, configures, and maintains databases in the AWS Cloud.

Policy description: This policy grants permissions to create, configure, and maintain databases. It includes access to all AWS database services, such as Amazon DynamoDB, Amazon ElastiCache, Amazon Relational Database Service (RDS), Amazon Redshift, and other supporting services.

This policy supports the ability to pass roles to AWS services. The policy grants iam:GetRole and iam:PassRole for only those roles named in the following table. For more information, see Creating the Roles and Attaching the Policies later in this topic.

Optional IAM service roles for the Database Administrator job function

Use case Role name (* is a wildcard) Service role type to select Select this AWS managed policy
Allow the user to monitor RDS databases rds-monitoring-role Amazon RDS Role for Enhanced Monitoring AmazonRDSEnhancedMonitoringRole
Allow AWS Lambda to monitor your database and access external databases rdbms-lambda-access Amazon EC2 AWSLambdaFullAccess
Allow Lambda to upload files to Amazon S3 and to Amazon Redshift clusters with DynamoDB lambda_exec_role AWS Lambda Create a new managed policy as defined in the AWS Big Data Blog
Allow Lambda functions to act as triggers for your DynamoDB tables lambda-dynamodb-* AWS Lambda AWSLambdaDynamoDBExecutionRole
Allow Lambda functions to access Amazon RDS in a VPC lambda-vpc-execution-role Create a role with a trust policy as defined in the AWS Lambda Developer Guide AWSLambdaVPCAccessExecutionRole
Allow AWS Data Pipeline to access your AWS resources DataPipelineDefaultRole Create a role with a trust policy as defined in the AWS Data Pipeline Developer Guide AWSDataPipelineRole
Allow your applications running on Amazon EC2 instances to access your AWS resources DataPipelineDefaultResourceRole Create a role with a trust policy as defined in the AWS Data Pipeline Developer Guide AmazonEC2RoleforDataPipelineRole

Data Scientist

AWS managed policy name: DataScientist

Use case: This user runs Hadoop jobs and queries. The user also accesses and analyzes information for data analytics and business intelligence.

Policy description: This policy grants permissions to create, manage, and run queries on an Amazon EMR cluster and perform data analytics with tools such as Amazon QuickSight. The policy includes access to AWS Data Pipeline, Amazon EC2, Amazon Elasticsearch Service, Amazon Elastic File System, Amazon EMR, Amazon Kinesis, Amazon Kinesis Analytics, Amazon Machine Learning, Amazon RDS, and Amazon Redshift.

This job function supports the ability to pass roles to AWS services. The policy grants iam:GetRole and iam:PassRole for only those roles named in the following table. For more information, see Creating the Roles and Attaching the Policies later in this topic.

Optional IAM service roles for the Data Scientist job function

Use case Role name (* is a wildcard) Service role type to select AWS managed policy to select
Allow Amazon EC2 instances access to services and resources suitable for clusters EMR-EC2_DefaultRole Amazon EMR for EC2 AmazonElasticMapReduceforEC2Role
Allow Amazon EMR access to access the Amazon EC2 service and resources for clusters EMR_DefaultRole Amazon EMR AmazonElasticMapReduceRole
Allow Amazon Kinesis Analytics to access streaming data sources kinesis-* Create a role with a trust policy as defined in the AWS Big Data Blog. See the AWS Big Data Blog, which outlines four possible options depending on your use case
Allow AWS Data Pipeline to access your AWS resources DataPipelineDefaultRole Create a role with a trust policy as defined in the AWS Data Pipeline Developer Guide AWSDataPipelineRole
Allow your applications running on Amazon EC2 instances to access your AWS resources DataPipelineDefaultResourceRole Create a role with a trust policy as defined in the AWS Data Pipeline Developer Guide AmazonEC2RoleforDataPipelineRole

Developer Power User

AWS managed policy name: PowerUserAccess

Use case: This user performs application development tasks and can create and configure resources and services that support AWS-aware application development.

Policy description: This policy grants permissions to view, read, and write permissions for a variety of AWS services intended for application development, including Amazon API Gateway, Amazon AppStream, Amazon CloudSearch, AWS CodeCommit, AWS CodeDeploy, AWS CodePipeline, AWS Device Farm, Amazon DynamoDB, Amazon Elastic Compute Cloud, Amazon EC2 Container Service (ECS), AWS Lambda, Amazon RDS, Amazon Route 53, Amazon Simple Storage Service (S3), Amazon Simple Email Service (SES), Amazon Simple Queue Service (SQS), and Amazon Simple Workflow Service (SWF).

Network Administrator

AWS managed policy name: NetworkAdministrator

Use case: This user is tasked with setting up and maintaining AWS network resources.

Policy description: This policy grants permissions to create and maintain network resources in Amazon EC2, Amazon Route 53, Amazon Virtual Private Cloud (VPC), and AWS Direct Connect.

This job function requires the ability to pass roles to AWS services. The policy grants iam:GetRole and iam:PassRole for only those roles named in the following table. For more information, see Creating the Roles and Attaching the Policies later in this topic.

Optional IAM service roles for the Network Administrator job function

Use case Role name (* is a wildcard) Service role type to select AWS managed policy to select
Allows Amazon VPC to create and manage CloudWatch logs on the user's behalf to monitor IP traffic going in and out of your VPC flow-logs-* Create a role with a trust policy as defined in the Amazon VPC User Guide This use case does not have an existing AWS managed policy, but the documentation lists the required permissions. See Amazon VPC User Guide.

System Administrator

AWS managed policy name: SystemAdministrator

Use case: This user sets up and maintains resources for development operations.

Policy description: This policy grants permissions to create and maintain resources across a large variety of AWS services, including AWS CloudTrail, Amazon CloudWatch, AWS CodeCommit, AWS CodeDeploy, AWS Config, AWS Directory Service, Amazon EC2, AWS Identity and Access Management, AWS Key Management Service, AWS Lambda, Amazon RDS, Amazon Route 53, Amazon S3, Amazon SES, Amazon SQS, AWS Trusted Advisor, and Amazon VPC.

This job function requires the ability to pass roles to AWS services. The policy grants iam:GetRole and iam:PassRole for only those roles named in the following table. For more information, see Creating the Roles and Attaching the Policies later in this topic.

Optional IAM service roles for the System Administrator job function

Use case Role name (* is a wildcard) Service role type to select AWS managed policy to select
Allow apps running in EC2 instances in an Amazon ECS cluster to access Amazon ECS ecr-sysadmin-* Amazon EC2 Role for EC2 Container Service AmazonEC2ContainerServiceforEC2Role
Allow a user to monitor databases rds-monitoring-role Amazon RDS Role for Enhanced Monitoring AmazonRDSEnhancedMonitoringRole
Allow apps running in EC2 instances to access AWS resources. ec2-sysadmin-* Amazon EC2 Sample policy for role that grants access to an S3 bucket as shown in the Amazon EC2 User Guide for Linux Instances; customize as needed
Allow Lambda to read DynamoDB streams and write to CloudWatch Logs lambda-sysadmin-* AWS Lambda AWSLambdaDynamoDBExecutionRole

Security Auditor

AWS managed policy name: SecurityAudit

Use case: This user monitors accounts for compliance with security requirements. This user can access logs and events to investigate potential security breaches or potential malicious activity.

Policy description: This policy grants permissions to view configuration data for many AWS services and to review their logs.

Support User

AWS managed policy name: SupportUser

Use case: This user contacts AWS support, creates support cases, and views the status of existing cases.

Policy description: This policy grants permissions to create and update AWS support cases.

View-Only User

AWS managed policy name: ViewOnlyAccess

Use case: This user can view a list of AWS resources and basic metadata in the account across all services. The user cannot read resource content or metadata that goes beyond the quota and list information for resources.

Policy description: This policy grants List* and Describe* access to resources for every AWS service.

Creating the Roles and Attaching the Policies

Several of the policies listed above grant the ability to configure AWS services with roles that enable those services to perform operations on your behalf. The job function policies either specify exact role names that you must use or at least include a prefix that specifies the first part of the name that can be used. To create one of these roles, perform the steps in the following procedure.

To create an IAM service role for a job function

  1. Sign in to the IAM console at https://console.aws.amazon.com/iam/.

  2. In the navigation pane of the IAM console, choose Roles, and then choose Create New Role.

  3. For Role Name, type a role name that matches the requirements for the name specified in the managed policy for the job function (in the Role Name column of the tables above). After you type the name, choose Next Step at the bottom.

  4. If needed, expand the AWS Service Roles section, and then choose Select for the service role type specified in the Service role type to select column of the appropriate table. If a service role type is not defined in the table, select Amazon EC2. You must later edit the trust policy for the role later to replace the EC2 service endpoint with the one that needs to assume the role. For more information, see Example 2.

  5. If the table shows a specified managed policy, select the check box for that policy to grant the permissions that you want the service to have. If the table specifies something other than an existing managed policy, you can skip this step, create the policy later according to the documentation, and then attach it to the role.

  6. Click Next Step to review the role. Then click Create Role.

Example 1: Configuring a User as a Database Administrator

This example shows the steps required to configure Alice, an IAM user, as a Database Administrator. You use the information in first row of the table in that section and allow the user to enable Amazon RDS monitoring. You attach the DatabaseAdministrator policy to Alice's IAM user so that she can manage the Amazon database services. That policy also enables Alice to pass a role called rds-monitoring-role to the Amazon RDS service that allows the service to monitor the RDS databases on her behalf.

  1. Sign in to the IAM console at https://console.aws.amazon.com/iam/.

  2. Choose Policies and then type database in the search box.

  3. Select the check box for DatabaseAdministrator policy, choose Policy actions, and then choose Attach.

  4. In the list of users, select Alice and then choose Attach policy. Alice now can administer AWS databases. However, to allow Alice to monitor those databases, you must configure the service role.

  5. Choose Roles, and then choose Create New Role.

  6. The role name must be one of those specified by the DatabaseAdministrator policy that Alice now has. One of those is rds-monitoring-role. Type that for the Role Name, and then choose Next Step.

  7. As in the first table row, under AWS Service Roles choose Select next to Amazon RDS Role for Enhanced Monitoring.

  8. After you review the details, choose Create Role.

  9. Alice can now enable RDS Enhanced Monitoring in the Monitoring section of the Amazon RDS console when she creates a DB instance, creates a read replica, or modifies a DB instance. She must type the role name she created (rds-monitoring-role) in the Monitoring Role box when she sets Enable Enhanced Monitoring to Yes.

Example 2: Configuring a User as a Network Administrator

This example shows the steps required to configure Juan, an IAM user, as a Network Administrator. It uses the information in the table in that section to allow Juan to monitor IP traffic going to and from a VPC, and to allow Juan to capture that information in CloudWatch logs. You attach the NetworkAdministrator policy to Juan's IAM user so that he can configure AWS network resources. That policy also enables Juan to pass a role whose name begins with flow-logs* to Amazon EC2 when you create a flow log. In this scenario, unlike Example 1, there isn't a predefined service role type, so you must perform a few steps differently.

  1. Sign in to the IAM console at https://console.aws.amazon.com/iam/.

  2. In the navigation pane, choose Policies and then type network in the search box.

  3. Select the check box next to NetworkAdministrator policy, choose Policy actions, and then choose Attach.

  4. In the list of users, select the check box next to Juan and then choose Attach policy. Juan now can administer AWS network resources. However, to enable monitoring of IP traffic in your VPC, you must configure the service role.

  5. Because the service role you need to create doesn't have a predefined managed policy, you must first create it. In the navigation pane, choose Policies, then choose Create Policy.

  6. Choose Select next to Create Your Own Policy.

  7. For the Policy Name, type vpc-flow-logs-policy-for-service-role.

  8. In Policy Document, copy and paste the following text:

    Copy
    { "Version": "2012-10-17", "Statement": [ { "Action": [ "logs:CreateLogGroup", "logs:CreateLogStream", "logs:PutLogEvents", "logs:DescribeLogGroups", "logs:DescribeLogStreams" ], "Effect": "Allow", "Resource": "*" } ] }
  9. Choose Create Policy to save your changes.

  10. Choose Roles, and then choose Create New Role.

  11. The role name must be permitted by the NetworkAdministrator policy that Juan now has. Any name that begins with flow-logs- is allowed. For this example, type flow-logs-for-juan for the role name, and then choose Next Step.

  12. As in the second table, under AWS Service Roles choose Select next to Amazon EC2.

  13. On the Attach Policy page, choose the policy you created earlier, vpc-flow-logs-policy-for-service-role, and then choose Next Step.

  14. After you review the details, choose Create Role.

  15. Now you can configure the trust policy required for this scenario. On the Roles page, choose the flow-logs-for-juan role (the name, not the check box) On the details page for your new role, choose the Trust Relationships tab, and then choose Edit Trust Relationship.

  16. Change the "Service" line to read as follows, replacing the entry for ec2.amazonaws.com:

    Copy
    "Service": "vpc-flow-logs.amazonaws.com"
  17. Alice can now create flow logs for a VPC or subnet in the Amazon EC2 console. When you create the flow log, specify the flow-logs-for-juan role. That role has the permissions to create the log and write data to it.