Menu
AWS Identity and Access Management
User Guide

Attaching and Detaching IAM Policies

You can attach and detach managed policies and embed and delete inline policies using the AWS Management Console, the AWS Command Line Interface (AWS CLI), or the AWS API.

For more information about the difference between managed and inline policies, see Managed Policies and Inline Policies.

For general information about IAM policies, see IAM Policies.

For information about policy size limitations and other quotas, see Limitations on IAM Entities and Objects.

Attaching IAM Policies (Console)

You can use the AWS Management Console to attach a managed policy to an identity (a user, group, or role). Attaching a policy applies its permissions in the policy to the identity. Because an inline policy is stored on the identity, it is embedded rather than attached, though it is a similar concept.

To attach a managed policy (console)

  1. Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/.

  2. In the navigation pane, choose Policies.

  3. In the list of policies, select the check box next to the name of the policy to attach. You can use the Filter menu and the search box to filter the list of policies.

  4. Choose Policy actions, and then choose Attach.

  5. Select one or more identities to attach the policy to. You can use the Filter menu and the search box to filter the list of principal entities. After selecting the identities, choose Attach policy.

To embed an inline policy (console)

  1. Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/.

  2. In the navigation pane, choose Groups, Users, or Roles.

  3. In the list, choose the name of the group, user, or role to embed a policy in.

  4. Choose the Permissions tab. If you chose Groups, expand the Inline Policies section if necessary.

  5. If in Groups, choose Create Group Policy. If in Users or Roles, scroll to the bottom of the page and choose Add inline policy. If there are no existing policies in Groups, instead choose click here to create your first inline policy.

    Note

    You cannot embed an inline policy in a service-linked role in IAM. Because the linked service defines whether you can modify the permissions of the role, you might be able to add additional policies from the service console, API, or CLI. To view the service-linked role documentation for a service, see AWS Services That Work with IAM and choose Yes in the Service-Linked Role column for your service.

  6. Choose Policy Generator or Custom Policy, and then choose Select.

  7. Do one of the following:

    • If you chose Custom Policy, specify a name for the policy and create your policy document. Policy Validator reports any syntax errors.

    • If you are using the policy generator to create your policy, select the appropriate Effect, AWS Service, and Actions options. Type the Amazon Resource Name (ARN) (if applicable), and add any conditions that you want to include. Then choose Add Statement. You can add as many statements as you want to the policy. When you are finished adding statements, choose Next Step.

  8. When you are satisfied with the policy, choose Apply Policy.

Detaching IAM Policies (Console)

You can use the AWS Management Console to detach a managed policy from a principal entity (a user, group, or role). Detaching a policy removes its permissions from the principal entity.

To detach a managed policy (Console)

  1. Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/.

  2. In the navigation pane, choose Policies.

  3. In the list of policies, select the check box next to the name of the policy to detach. You can use the Filter menu and the search box to filter the list of policies.

  4. Choose Policy actions, and then choose Detach.

  5. Select the identities to detach the policy from. You can use the Filter menu and the search box to filter the list of identities. After selecting the identities, choose Detach policy.

To detach and delete an inline policy (console)

  1. Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/.

  2. In the navigation pane, choose Groups, Users, or Roles.

  3. In the list, choose the name of the group, user, or role that has the policy you want to remove.

  4. Choose the Permissions tab. If you chose Groups, expand the Inline Policies section if necessary.

  5. If in Groups, choose Remove Policy. If in Users or Roles, choose X.

Attaching or Detaching IAM Policies (AWS CLI or AWS API)

You can attach or detach managed policies and embed or delete inline policies using the AWS Command Line Interface (AWS CLI) or the AWS API. The following information applies to both managed and inline policies.

To list managed policies (AWS CLI or API)

To retrieve detailed information about a managed policy (AWS CLI or API)

To list the identities (users, groups, and roles) to which a managed policy is attached (AWS CLI or API)

To list the managed policies attached to an identity (a user, group, or role) (AWS CLI or API)

To list all inline policies that are attached to an identity (user, group, or role) (AWS CLI or API)

To retrieve an inline policy document that is embedded in an identity (user, group, or role) (AWS CLI or API)

To attach a managed policy to an identity (user, group, or role) (AWS CLI or API)

To detach a managed policy from an identity (user, group, or role) (AWS CLI or API)

To embed an inline policy in an identity (user, group, or role) (AWS CLI or API)

Note

You can embed an inline policy for a service-linked role only in the service that depends on the role. See the AWS documentation for your service to see whether it supports this feature.

To detach and delete an inline policy from an identity (user, group, or role)

Note

You can delete an inline policy from a service-linked role only in the service that depends on the role. See the AWS documentation for your service to see whether it supports this feature.