Menu
AWS Identity and Access Management
User Guide

Adding and Removing IAM Policies

You can use policies as permissions policies for users, groups, and roles using the AWS Management Console, the AWS Command Line Interface (AWS CLI), or the AWS API. You can use policies to set permissions boundaries for users and roles only, using the same methods. Use a policy to set a permissions boundary to control the maximum permissions that a principal can have. Permissions boundaries are an advanced AWS feature.

Terminology

When you associate permissions policies with identities (users, groups, and roles), you might notice that terminology and procedures vary depending on whether you are working with a managed or inline policy:

  • Attach – Used with managed policies. You attach a managed policy to an identity (a user, group, or role). Attaching a policy applies the permissions in the policy to the identity.

  • Detach – Used with managed policies. You detach a managed policy from a principal entity (a user, group, or role). Detaching a policy removes its permissions from the principal entity.

  • Embed – Used with inline policies. You embed an inline policy in an identity (a user, group, or role). Embedding a policy applies the permissions in the policy to the identity. Because an inline policy is stored in the identity, it is embedded rather than attached, though the results are similar.

    Note

    You can embed an inline policy for a service-linked role only in the service that depends on the role. See the AWS documentation for your service to see whether it supports this feature.

  • Delete – Used with inline policies. You delete an inline policy from a principal entity (a user, group, or role). Deleting a policy removes its permissions from the principal entity.

    Note

    You can delete an inline policy for a service-linked role only in the service that depends on the role. See the AWS documentation for your service to see whether it supports this feature.

You can use the console, AWS CLI, or AWS API to perform any of these actions.

More Information

Adding and Removing IAM Policies (Console)

You can use the AWS Management Console to attach or detach managed policies used as a permissions policy, or to set, change, or remove a policy used for a permissions boundary. You can also embed or delete an inline policy.

To use a managed policy as a permissions policy for a principal (console)

  1. Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/.

  2. In the navigation pane, choose Policies.

  3. In the list of policies, select the check box next to the name of the policy to attach. You can use the Filter menu and the search box to filter the list of policies.

  4. Choose Policy actions, and then choose Attach.

  5. Select one or more identities to attach the policy to. You can use the Filter menu and the search box to filter the list of principal entities. After selecting the identities, choose Attach policy.

To use a managed policy to set a permissions boundary (console)

  1. Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/.

  2. In the navigation pane, choose Policies.

  3. In the list of policies, choose the name of the policy to set. You can use the Filter menu and the search box to filter the list of policies.

  4. On the policy summary page, choose the Policy usage tab, and then, if necessary, open the Permissions boundaries section and choose Set boundary.

  5. Select one or more users or roles on which to use the policy for a permissions boundary. You can use the Filter menu and the search box to filter the list of principal entities. After selecting the principals, choose Set boundaries.

To embed an inline policy for a user or role (console)

  1. Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/.

  2. In the navigation pane, choose Users or Roles.

  3. In the list, choose the name of the user or role to embed a policy in.

  4. Choose the Permissions tab.

  5. Scroll to the bottom of the page and choose Add inline policy.

    Note

    You cannot embed an inline policy in a service-linked role in IAM. Because the linked service defines whether you can modify the permissions of the role, you might be able to add additional policies from the service console, API, or AWS CLI. To view the service-linked role documentation for a service, see AWS Services That Work with IAM and choose Yes in the Service-Linked Role column for your service.

  6. Choose from the following methods to view the steps required to create your policy:

    • Importing Existing Managed Policies – You can import a managed policy within your account and then edit the policy to customize it to your specific requirements. A managed policy can be an AWS managed policy or a customer managed policy that you created previously.

    • Creating Policies with the Visual Editor – You can construct a new policy from scratch in the visual editor. If you use the visual editor, you do not have to understand JSON syntax.

    • Creating Policies on the JSON Tab – In the JSON tab, you can use JSON syntax to create a policy. You can type a new JSON policy document or paste an example policy.

  7. After you create an inline policy, it is automatically embedded in your user or role.

To embed an inline policy for a group (console)

  1. Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/.

  2. In the navigation pane, choose Groups.

  3. In the list, choose the name of the group to embed a policy in.

  4. Choose the Permissions tab and expand the Inline Policies section if necessary.

  5. Choose Create Group Policy. If there are no existing policies in Groups, instead choose click here to create your first inline policy.

  6. Choose Policy Generator or Custom Policy, and then choose Select.

  7. Do one of the following:

    • If you chose Custom Policy, specify a name for the policy and create your policy document. Policy Validator reports any syntax errors.

    • If you are using the policy generator to create your policy, choose the appropriate Effect, AWS Service, and Actions options. Type the Amazon Resource Name (ARN) (if applicable), and add any conditions that you want to include. Then choose Add Statement. You can add as many statements as you want to the policy. When you are finished adding statements, choose Next Step.

  8. When you are satisfied with the policy, choose Apply Policy.

To change the permissions boundary for one or more principals (console)

  1. Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/.

  2. In the navigation pane, choose Policies.

  3. In the list of policies, choose the name of the policy to set. You can use the Filter menu and the search box to filter the list of policies.

  4. On the policy summary page, choose the Policy usage tab, and then, if necessary, open the Permissions boundaries section. Select the check box next to the users or roles whose boundaries you want to change and then choose Change boundary.

  5. Select a new policy to use for a permissions boundary. You can use the Filter menu and the search box to filter the list of policies. After selecting the policy, choose Change boundary.

To detach a managed policy used as a permissions policy (console)

  1. Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/.

  2. In the navigation pane, choose Policies.

  3. In the list of policies, select the check box next to the name of the policy to detach. You can use the Filter menu and the search box to filter the list of policies.

  4. Choose Policy actions, and then choose Detach.

  5. Select the identities to detach the policy from. You can use the Filter menu and the search box to filter the list of identities. After selecting the identities, choose Detach policy.

To remove a permissions boundary (console)

  1. Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/.

  2. In the navigation pane, choose Policies.

  3. In the list of policies, choose the name of the policy to set. You can use the Filter menu and the search box to filter the list of policies.

  4. On the policy summary page, choose the Policy usage tab, and then, if necessary, open the Permissions boundaries section and choose Remove boundary.

  5. Confirm that you want to remove the boundary and choose Remove.

To delete an inline policy (console)

  1. Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/.

  2. In the navigation pane, choose Groups, Users, or Roles.

  3. In the list, choose the name of the group, user, or role that has the policy you want to remove.

  4. Choose the Permissions tab. If you chose Groups, expand the Inline Policies section if necessary.

  5. If in Groups, choose Remove Policy. If in Users or Roles, choose X.

Adding and Removing IAM Policies (AWS CLI)

You can use the AWS CLI to attach or detach managed policies used for permissions, or to set, change, or remove a policy used for a permissions boundary. You can also embed or delete an inline policy.

To use a managed policy as a permissions policy for a principal (AWS CLI)

  1. (Optional) To view information about a managed policy, run the following commands:

  2. To attach a managed policy to an identity (user, group, or role), use one of the following commands:

To use a managed policy to set a permissions boundary (AWS CLI)

  1. (Optional) To view information about a managed policy, run the following commands:

  2. To use a managed policy to set the permissions boundary for a principal (user or role), use one of the following commands:

To embed an inline policy (AWS CLI)

To embed an inline policy to an identity (user, group, or role that is not a service-linked role), use one of the following commands:

To detach a managed policy used as a permissions policy (AWS CLI)

  1. (Optional) To view information about a policy, run the following commands:

  2. (Optional) To find out about the relationships between the policies and identities, run the following commands:

  3. To detach a managed policy from an identity (user, group, or role), use one of the following commands:

To remove a permissions boundary (AWS CLI)

  1. (Optional) To view which managed policy is currently used to set the permissions boundary for a user or role, run the following commands:

  2. (Optional) To view the users or roles on which a managed policy is used for a permissions boundary, run the following command:

  3. (Optional) To view information about a managed policy, run the following commands:

  4. To remove a permissions boundary from a user or role, use one of the following commands:

To delete an inline policy (AWS CLI)

  1. (Optional) To list all inline policies that are attached to an identity (user, group, role), use one of the following commands:

  2. (Optional) To retrieve an inline policy document that is embedded in an identity (user, group, or role), use one of the following commands:

  3. To delete an inline policy from an identity (user, group, or role that is not a service-linked role), use one of the following commands:

Adding and Removing IAM Policies (AWS API)

You can use the AWS API to attach or detach managed policies used for permissions, or to set, change, or remove a policy used for a permissions boundary. You can also embed or delete an inline policy.

To use a managed policy as a permissions policy for a principal (AWS API)

  1. (Optional) To view information about a policy, call the following operations:

    • To list managed policies: ListPolicies

    • To retrieve detailed information about a managed policy: GetPolicy

  2. To attach a managed policy to an identity (user, group, or role), call one of the following operations:

To use a managed policy to set a permissions boundary (AWS API)

  1. (Optional) To view information about a managed policy, call the following operations:

    • To list managed policies: ListPolicies

    • To retrieve detailed information about a managed policy: GetPolicy

  2. To use a managed policy to set the permissions boundary for a principal (user or role), call one of the following operations:

To embed an inline policy (AWS API)

To embed an inline policy in an identity (user, group, or role that is not a service-linked role), call one of the following operations:

To detach a managed policy used as a permissions policy (AWS API)

  1. (Optional) To view information about a policy, call the following operations:

    • To list managed policies: ListPolicies

    • To retrieve detailed information about a managed policy: GetPolicy

  2. (Optional) To find out about the relationships between the policies and identities, call the following operations:

  3. To detach a managed policy from an identity (user, group, or role), call one of the following operations:

To remove a permissions boundary (AWS API)

  1. (Optional) To view which managed policy is currently used to set the permissions boundary for a user or role, call the following operations:

  2. (Optional) To view the users or roles on which a managed policy is used for a permissions boundary, call the following operation:

  3. (Optional) To view information about a managed policy, call the following operations:

    • To list managed policies: ListPolicies

    • To retrieve detailed information about a managed policy: GetPolicy

  4. To remove a permissions boundary from a user or role, call one of the following operations:

To delete an inline policy (AWS API)

  1. (Optional) To list all inline policies that are attached to an identity (user, group, role), call one of the following operations:

  2. (Optional) To retrieve an inline policy document that is embedded in an identity (user, group, or role), call one of the following operations:

  3. To delete an inline policy from an identity (user, group, or role that is not a service-linked role), call one of the following operations: