Example policies for administering IAM resources
Following are examples of IAM policies that allow users to perform tasks associated with managing IAM users, groups, and credentials. This includes policies that permit users manage their own passwords, access keys, and multi-factor authentication (MFA) devices.
For examples of policies that let users perform tasks with other AWS services, like Amazon S3, Amazon EC2, and DynamoDB, see Example IAM identity-based policies.
Topics
- Allow a user to list the account's groups, users, policies, and more for reporting purposes
- Allow a user to manage a group's membership
- Allow a user to manage IAM users
- Allow users to set account password policy
- Allow users to generate and retrieve IAM credential reports
- Allow all IAM actions (admin access)
Allow a user to list the account's groups, users, policies, and more for reporting purposes
The following policy allows the user to call any IAM action that starts with the
string Get
or List
, and to generate reports. To view the example
policy, see IAM: Allows read-only
access to the IAM console.
Allow a user to manage a group's membership
The following policy allows the user to update the membership of the group called MarketingGroup. To view the example policy, see IAM: Allows managing a group's membership programmatically and in the console.
Allow a user to manage IAM users
The following policy allows a user to perform all the tasks associated with managing IAM users but not to perform actions on other entities, such as creating groups or policies. Allowed actions include these:
-
Creating the user (the
CreateUser
action). -
Deleting the user. This task requires permissions to perform all of the following actions:
DeleteSigningCertificate
,DeleteLoginProfile
,RemoveUserFromGroup
, andDeleteUser
. -
Listing users in the account and in groups (the
GetUser
,ListUsers
andListGroupsForUser
actions). -
Listing and removing policies for the user (the
ListUserPolicies
,ListAttachedUserPolicies
,DetachUserPolicy
,DeleteUserPolicy
actions) -
Renaming or changing the path for the user (the
UpdateUser
action). TheResource
element must include an ARN that covers both the source path and the target path. For more information on paths, see Friendly names and paths.
{ "Version": "2012-10-17", "Statement": [ { "Sid": "AllowUsersToPerformUserActions", "Effect": "Allow", "Action": [ "iam:ListPolicies", "iam:GetPolicy", "iam:UpdateUser", "iam:AttachUserPolicy", "iam:ListEntitiesForPolicy", "iam:DeleteUserPolicy", "iam:DeleteUser", "iam:ListUserPolicies", "iam:CreateUser", "iam:RemoveUserFromGroup", "iam:AddUserToGroup", "iam:GetUserPolicy", "iam:ListGroupsForUser", "iam:PutUserPolicy", "iam:ListAttachedUserPolicies", "iam:ListUsers", "iam:GetUser", "iam:DetachUserPolicy" ], "Resource": "*" }, { "Sid": "AllowUsersToSeeStatsOnIAMConsoleDashboard", "Effect": "Allow", "Action": [ "iam:GetAccount*", "iam:ListAccount*" ], "Resource": "*" } ] }
A number of the permissions included in the preceding policy allow the user to perform
tasks in the AWS Management Console. Users who perform user-related tasks from the AWS CLIiam:ListAttachedUserPolicies
permission. The exact list of permissions that a
user requires depends on the tasks that the user must perform while managing other users.
The following permissions in the policy allow access to user tasks via the AWS Management Console:
-
iam:GetAccount*
-
iam:ListAccount*
Allow users to set account password policy
You might give some users permissions to get and update the password policy of your AWS account. To view the example policy, see IAM: Allows setting the account password requirements programmatically and in the console.
Allow users to generate and retrieve IAM credential reports
You can give users permission to generate and download a report that lists all users in your AWS account. The report also lists the status of various user credentials, including passwords, access keys, MFA devices, and signing certificates. For more information about credential reports, see Generate credential reports for your AWS account. To view the example policy, see IAM: Generate and retrieve IAM credential reports.
Allow all IAM actions (admin access)
You might give some users administrative permissions to perform all actions in IAM, including managing passwords, access keys, MFA devices, and user certificates. The following example policy grants these permissions.
Warning
When you give a user full access to IAM, there is no limit to the permissions that user can grant to him/herself or others. The user can create new IAM entities (users or roles) and grant those entities full access to all resources in your AWS account. When you give a user full access to IAM, you are effectively giving them full access to all resources in your AWS account. This includes access to delete all resources. You should grant these permissions to only trusted administrators, and you should enforce multi-factor authentication (MFA) for these administrators.
{ "Version": "2012-10-17", "Statement": { "Effect": "Allow", "Action": "iam:*", "Resource": "*" } }