Example policies for administering IAM resources - AWS Identity and Access Management

Example policies for administering IAM resources

Following are examples of IAM policies that allow users to perform tasks associated with managing IAM users, groups, and credentials. This includes policies that permit users manage their own passwords, access keys, and multi-factor authentication (MFA) devices.

For examples of policies that let users perform tasks with other AWS services, like Amazon S3, Amazon EC2, and DynamoDB, see Example IAM identity-based policies.

Allow a user to list the account's groups, users, policies, and more for reporting purposes

The following policy allows the user to call any IAM action that starts with the string Get or List, and to generate reports. To view the example policy, see IAM: Allows read-only access to the IAM console.

Allow a user to manage a group's membership

The following policy allows the user to update the membership of the group called MarketingGroup. To view the example policy, see IAM: Allows managing a group's membership programmatically and in the console.

Allow a user to manage IAM users

The following policy allows a user to perform all the tasks associated with managing IAM users but not to perform actions on other entities, such as creating groups or policies. Allowed actions include these:

{ "Version": "2012-10-17", "Statement": [ { "Sid": "AllowUsersToPerformUserActions", "Effect": "Allow", "Action": [ "iam:ListPolicies", "iam:GetPolicy", "iam:UpdateUser", "iam:AttachUserPolicy", "iam:ListEntitiesForPolicy", "iam:DeleteUserPolicy", "iam:DeleteUser", "iam:ListUserPolicies", "iam:CreateUser", "iam:RemoveUserFromGroup", "iam:AddUserToGroup", "iam:GetUserPolicy", "iam:ListGroupsForUser", "iam:PutUserPolicy", "iam:ListAttachedUserPolicies", "iam:ListUsers", "iam:GetUser", "iam:DetachUserPolicy" ], "Resource": "*" }, { "Sid": "AllowUsersToSeeStatsOnIAMConsoleDashboard", "Effect": "Allow", "Action": [ "iam:GetAccount*", "iam:ListAccount*" ], "Resource": "*" } ] }

A number of the permissions included in the preceding policy allow the user to perform tasks in the AWS Management Console. Users who perform user-related tasks from the AWS CLI, the AWS SDKs, or the IAM HTTP query API only might not need certain permissions. For example, if users already know the ARN of policies to detach from a user, they do not need the iam:ListAttachedUserPolicies permission. The exact list of permissions that a user requires depends on the tasks that the user must perform while managing other users.

The following permissions in the policy allow access to user tasks via the AWS Management Console:

  • iam:GetAccount*

  • iam:ListAccount*

Allow users to set account password policy

You might give some users permissions to get and update the password policy of your AWS account. To view the example policy, see IAM: Allows setting the account password requirements programmatically and in the console.

Allow users to generate and retrieve IAM credential reports

You can give users permission to generate and download a report that lists all users in your AWS account. The report also lists the status of various user credentials, including passwords, access keys, MFA devices, and signing certificates. For more information about credential reports, see Getting credential reports for your AWS account. To view the example policy, see IAM: Generate and retrieve IAM credential reports.

Allow all IAM actions (admin access)

You might give some users administrative permissions to perform all actions in IAM, including managing passwords, access keys, MFA devices, and user certificates. The following example policy grants these permissions.

Warning

When you give a user full access to IAM, there is no limit to the permissions that user can grant to him/herself or others. The user can create new IAM entities (users or roles) and grant those entities full access to all resources in your AWS account. When you give a user full access to IAM, you are effectively giving them full access to all resources in your AWS account. This includes access to delete all resources. You should grant these permissions to only trusted administrators, and you should enforce multi-factor authentication (MFA) for these administrators.

{ "Version": "2012-10-17", "Statement": { "Effect": "Allow", "Action": "iam:*", "Resource": "*" } }