IAM tutorial: Create and attach your first customer managed policy
In this tutorial, you use the AWS Management Console to create a customer managed policy and then attach that policy to an IAM user in your AWS account. The policy you create allows an IAM test user to sign in directly to the AWS Management Console with read-only permissions.
This workflow has three basic steps:
- Step 1: Create the policy
-
By default, IAM users do not have permissions to do anything. They cannot access the AWS Management Console or manage the data within unless you allow it. In this step, you create a customer managed policy that allows any attached user to sign in to the console.
- Step 2: Attach the policy
-
When you attach a policy to a user, the user inherits all of the access permissions that are associated with that policy. In this step, you attach the new policy to a test user.
- Step 3: Test user access
-
Once the policy is attached, you can sign in as the user and test the policy.
Prerequisites
To perform the steps in this tutorial, you need to already have the following:
-
An AWS account that you can sign in to as an IAM user with administrative permissions.
-
A test IAM user that has no permissions assigned or group memberships as follows:
User name Group Permissions PolicyUser <none> <none>
Step 1: Create the policy
In this step, you create a customer managed policy that allows any attached user to sign in to the AWS Management Console with read-only access to IAM data.
To create the policy for your test user
-
Sign in to the IAM console at https://console.aws.amazon.com/iam/
with your user that has administrator permissions. -
In the navigation pane, choose Policies.
-
In the content pane, choose Create policy.
-
Choose the JSON option and copy the text from the following JSON policy document. Paste this text into the JSON text box.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "iam:GenerateCredentialReport", "iam:Get*", "iam:List*" ], "Resource": "*" } ] }
-
Resolve any security warnings, errors, or general warnings generated during policy validation, and then choose Next.
Note
You can switch between the Visual and JSON editor options anytime. However, if you make changes or choose Review policy in the Visual editor tab, IAM might restructure your policy to optimize it for the visual editor. For more information, see Policy restructuring.
-
On the Review and create page, type
UsersReadOnlyAccessToIAMConsole
for the policy name. Review the permissions granted by your policy, and then choose Create policy to save your work.The new policy appears in the list of managed policies and is ready to attach.
Step 2: Attach the policy
Next you attach the policy you just created to your test IAM user.
To attach the policy to your test user
-
In the IAM console, in the navigation pane, choose Policies.
-
At the top of the policy list, in the search box, start typing
UsersReadOnlyAccesstoIAMConsole
until you can see your policy. Then choose the radio button next to UsersReadOnlyAccessToIAMConsole in the list. -
Choose the Actions button, and then choose Attach.
-
In IAM entities choose the option to filter for Users.
-
In the search box, start typing
PolicyUser
until that user is visible on the list. Then check the box next to that user in the list. -
Choose Attach policy.
You have attached the policy to your IAM test user, which means that user now has read-only access to the IAM console.
Step 3: Test user access
For this tutorial, we recommend that you test access by signing in as the test user so you can see what your users might experience.
To test access by signing in with your test user
-
Sign in to the IAM console at https://console.aws.amazon.com/iam/
with your PolicyUser
test user. -
Browse through the pages of the console and try to create a new user or group. Notice that
PolicyUser
can display data but cannot create or modify existing IAM data.
Related resources
For related information, see the following resources:
Summary
You've now successfully completed all of the steps necessary to create and attach a customer managed policy. As a result, you are able to sign in to the IAM console with your test account to see what the experience is like for your users.