Deleting IAM policies - AWS Identity and Access Management

Deleting IAM policies

You can delete IAM policies using the AWS Management Console, the AWS Command Line Interface (AWS CLI), or the IAM API.

For more information about the difference between managed and inline policies, see Managed policies and inline policies.

For general information about IAM policies, see Policies and permissions in IAM.

The number and size of IAM resources in an AWS account are limited. For more information, see IAM and STS quotas.

View policy access

Before you delete a policy, you should review its recent service-level activity. This is important because you don't want to remove access from a principal (person or application) who is using it. For more information about viewing last accessed information, see Refining permissions in AWS using last accessed information.

Deleting IAM policies (console)

You can delete a customer managed policy to remove it from your AWS account. You cannot delete AWS managed policies.

To delete a customer managed policy (console)

  1. Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/.

  2. In the navigation pane, choose Policies.

  3. Select the check box next to the customer managed policy to delete. You can use the Filter menu and the search box to filter the list of policies.

  4. Choose Policy actions, and then choose Delete.

  5. Confirm that you want to delete the policy, and then choose Delete.

To delete an inline policy for a user group, user, or role (console)

  1. In the navigation pane, choose User groups, Users, or Roles.

  2. Choose the name of the user group, user, or role with the policy that you want to delete. Then choose the Permissions tab. If you chose Users or Roles, expand the policy.

  3. To delete an inline policy in User groups, choose Delete. To delete an inline policy in Users or Roles, choose X.

  4. If you are deleting a single inline policy in User groups, type the name of the policy and choose Delete. If you are deleting multiple inline policies in User groups, type the number of policies you are deleting followed by inline policies and choose Delete. For example, if you are deleting three inline policies, type 3 inline policies.

Deleting IAM policies (AWS CLI)

You can delete a customer managed policy from the AWS Command Line Interface.

To delete a customer managed policy (AWS CLI)

  1. (Optional) To view information about a policy, run the following commands:

  2. (Optional) To find out about the relationships between the policies and identities, run the following commands:

  3. To delete a customer managed policy, run the following command:

To delete an inline policy (AWS CLI)

  1. (Optional) To list all inline policies that are attached to an identity (user, user group, role), use one of the following commands:

  2. (Optional) To retrieve an inline policy document that is embedded in an identity (user, user group, or role), use one of the following commands:

  3. To delete an inline policy from an identity (user, user group, or role that is not a service-linked role), use one of the following commands:

Deleting IAM policies (AWS API)

You can delete a customer managed policy using the AWS API.

To delete a customer managed policy (AWS API)

  1. (Optional) To view information about a policy, call the following operations:

    • To list managed policies: ListPolicies

    • To retrieve detailed information about a managed policy: GetPolicy

  2. (Optional) To find out about the relationships between the policies and identities, call the following operations:

  3. To delete a customer managed policy, call the following operation:

To delete an inline policy (AWS API)

  1. (Optional) To list all inline policies that are attached to an identity (user, user group, role), call one of the following operations:

  2. (Optional) To retrieve an inline policy document that is embedded in an identity (user, user group, or role), call one of the following operations:

  3. To delete an inline policy from an identity (user, user group, or role that is not a service-linked role), call one of the following operations: