Menu
AWS Identity and Access Management
User Guide

Attaching and Detaching IAM Policies

You can attach and detach managed policies and embed and delete inline policies using the AWS Management Console, the AWS Command Line Interface (AWS CLI), or the AWS API.

For more information about the difference between managed and inline policies, see Managed Policies and Inline Policies.

For general information about IAM policies, see IAM Policies.

For information about policy size limitations and other quotas, see Limitations on IAM Entities and Objects.

Attaching IAM Policies (Console)

You can use the AWS Management Console to attach a managed policy to an identity (a user, group, or role). Attaching a policy applies the permissions in the policy to the identity.

To attach a managed policy (console)

  1. Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/.

  2. In the navigation pane, choose Policies.

  3. In the list of policies, select the check box next to the name of the policy to attach. You can use the Filter menu and the search box to filter the list of policies.

  4. Choose Policy actions, and then choose Attach.

  5. Select one or more identities to attach the policy to. You can use the Filter menu and the search box to filter the list of principal entities. After selecting the identities, choose Attach policy.

Embedding Inline Policies (Console)

You can use the AWS Management Console to embed an inline policy in an identity (a user, group, or role). Embedding a policy applies the permissions in the policy to the identity. Because an inline policy is stored in the identity, it is embedded rather than attached, though the concept is similar.

To embed an inline policy for a user or role (console)

  1. Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/.

  2. In the navigation pane, choose Users or Roles.

  3. In the list, choose the name of the user or role to embed a policy in.

  4. Choose the Permissions tab.

  5. Scroll to the bottom of the page and choose Add inline policy.

    Note

    You cannot embed an inline policy in a service-linked role in IAM. Because the linked service defines whether you can modify the permissions of the role, you might be able to add additional policies from the service console, API, or AWS CLI. To view the service-linked role documentation for a service, see AWS Services That Work with IAM and choose Yes in the Service-Linked Role column for your service.

  6. Choose from the following methods to view the steps required to create your policy:

    • Import an Existing Managed Policy – You can import a managed policy within your account and then edit the policy to customize it to your specific requirements. A managed policy can be an AWS managed policy or a customer managed policy that you created previously.

    • Create a Policy with the Visual Editor – You can construct a new policy from scratch in the visual editor. If you use the visual editor, you do not have to understand JSON syntax.

    • Create a Policy on the JSON Tab – In the JSON tab, you can use JSON syntax to create a policy. You can type a new JSON policy document or paste an example policy.

  7. After you create an inline policy, it is automatically embedded in your user or role.

To embed an inline policy for a group (console)

  1. Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/.

  2. In the navigation pane, choose Groups.

  3. In the list, choose the name of the group to embed a policy in.

  4. Choose the Permissions tab and expand the Inline Policies section if necessary.

  5. Choose Create Group Policy. If there are no existing policies in Groups, instead choose click here to create your first inline policy.

  6. Choose Policy Generator or Custom Policy, and then choose Select.

  7. Do one of the following:

    • If you chose Custom Policy, specify a name for the policy and create your policy document. Policy Validator reports any syntax errors.

    • If you are using the policy generator to create your policy, select the appropriate Effect, AWS Service, and Actions options. Type the Amazon Resource Name (ARN) (if applicable), and add any conditions that you want to include. Then choose Add Statement. You can add as many statements as you want to the policy. When you are finished adding statements, choose Next Step.

  8. When you are satisfied with the policy, choose Apply Policy.

Detaching IAM Policies (Console)

You can use the AWS Management Console to detach a managed policy from a principal entity (a user, group, or role). Detaching a policy removes its permissions from the principal entity.

To detach a managed policy (Console)

  1. Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/.

  2. In the navigation pane, choose Policies.

  3. In the list of policies, select the check box next to the name of the policy to detach. You can use the Filter menu and the search box to filter the list of policies.

  4. Choose Policy actions, and then choose Detach.

  5. Select the identities to detach the policy from. You can use the Filter menu and the search box to filter the list of identities. After selecting the identities, choose Detach policy.

To detach and delete an inline policy (console)

  1. Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/.

  2. In the navigation pane, choose Groups, Users, or Roles.

  3. In the list, choose the name of the group, user, or role that has the policy you want to remove.

  4. Choose the Permissions tab. If you chose Groups, expand the Inline Policies section if necessary.

  5. If in Groups, choose Remove Policy. If in Users or Roles, choose X.

Attaching or Detaching IAM Policies (AWS CLI or AWS API)

You can attach or detach managed policies and embed or delete inline policies using the AWS Command Line Interface (AWS CLI) or the AWS API. The following information applies to both managed and inline policies.

To list managed policies (AWS CLI or API)

To retrieve detailed information about a managed policy (AWS CLI or API)

To list the identities (users, groups, and roles) to which a managed policy is attached (AWS CLI or API)

To list the managed policies attached to an identity (a user, group, or role) (AWS CLI or API)

To list all inline policies that are attached to an identity (user, group, or role) (AWS CLI or API)

To retrieve an inline policy document that is embedded in an identity (user, group, or role) (AWS CLI or API)

To attach a managed policy to an identity (user, group, or role) (AWS CLI or API)

To detach a managed policy from an identity (user, group, or role) (AWS CLI or API)

To embed an inline policy in an identity (user, group, or role) (AWS CLI or API)

Note

You can embed an inline policy for a service-linked role only in the service that depends on the role. See the AWS documentation for your service to see whether it supports this feature.

To detach and delete an inline policy from an identity (user, group, or role)

Note

You can delete an inline policy from a service-linked role only in the service that depends on the role. See the AWS documentation for your service to see whether it supports this feature.