ManagedPolicyProps

class aws_cdk.aws_iam.ManagedPolicyProps(*, description=None, document=None, groups=None, managed_policy_name=None, path=None, roles=None, statements=None, users=None)

Bases: object

Properties for defining an IAM managed policy.

Parameters:
  • description (Optional[str]) – A description of the managed policy. Typically used to store information about the permissions defined in the policy. For example, “Grants access to production DynamoDB tables.” The policy description is immutable. After a value is assigned, it cannot be changed. Default: - empty

  • document (Optional[PolicyDocument]) – Initial PolicyDocument to use for this ManagedPolicy. If omited, any PolicyStatement provided in the statements property will be applied against the empty default PolicyDocument. Default: - An empty policy.

  • groups (Optional[Sequence[IGroup]]) – Groups to attach this policy to. You can also use attachToGroup(group) to attach this policy to a group. Default: - No groups.

  • managed_policy_name (Optional[str]) – The name of the managed policy. If you specify multiple policies for an entity, specify unique names. For example, if you specify a list of policies for an IAM role, each policy must have a unique name. Default: - A name is automatically generated.

  • path (Optional[str]) – The path for the policy. This parameter allows (through its regex pattern) a string of characters consisting of either a forward slash (/) by itself or a string that must begin and end with forward slashes. In addition, it can contain any ASCII character from the ! (u0021) through the DEL character (u007F), including most punctuation characters, digits, and upper and lowercased letters. For more information about paths, see IAM Identifiers in the IAM User Guide. Default: - “/”

  • roles (Optional[Sequence[IRole]]) – Roles to attach this policy to. You can also use attachToRole(role) to attach this policy to a role. Default: - No roles.

  • statements (Optional[Sequence[PolicyStatement]]) – Initial set of permissions to add to this policy document. You can also use addPermission(statement) to add permissions later. Default: - No statements.

  • users (Optional[Sequence[IUser]]) – Users to attach this policy to. You can also use attachToUser(user) to attach this policy to a user. Default: - No users.

ExampleMetadata:

infused

Example:

policy_document = {
    "Version": "2012-10-17",
    "Statement": [{
        "Sid": "FirstStatement",
        "Effect": "Allow",
        "Action": ["iam:ChangePassword"],
        "Resource": ["*"]
    }, {
        "Sid": "SecondStatement",
        "Effect": "Allow",
        "Action": ["s3:ListAllMyBuckets"],
        "Resource": ["*"]
    }, {
        "Sid": "ThirdStatement",
        "Effect": "Allow",
        "Action": ["s3:List*", "s3:Get*"
        ],
        "Resource": ["arn:aws:s3:::confidential-data", "arn:aws:s3:::confidential-data/*"
        ],
        "Condition": {"Bool": {"aws:_multi_factor_auth_present": "true"}}
    }
    ]
}

custom_policy_document = iam.PolicyDocument.from_json(policy_document)

# You can pass this document as an initial document to a ManagedPolicy
# or inline Policy.
new_managed_policy = iam.ManagedPolicy(self, "MyNewManagedPolicy",
    document=custom_policy_document
)
new_policy = iam.Policy(self, "MyNewPolicy",
    document=custom_policy_document
)

Attributes

description

A description of the managed policy.

Typically used to store information about the permissions defined in the policy. For example, “Grants access to production DynamoDB tables.” The policy description is immutable. After a value is assigned, it cannot be changed.

Default:
  • empty

document

Initial PolicyDocument to use for this ManagedPolicy.

If omited, any PolicyStatement provided in the statements property will be applied against the empty default PolicyDocument.

Default:
  • An empty policy.

groups

Groups to attach this policy to.

You can also use attachToGroup(group) to attach this policy to a group.

Default:
  • No groups.

managed_policy_name

The name of the managed policy.

If you specify multiple policies for an entity, specify unique names. For example, if you specify a list of policies for an IAM role, each policy must have a unique name.

Default:
  • A name is automatically generated.

path

The path for the policy.

This parameter allows (through its regex pattern) a string of characters consisting of either a forward slash (/) by itself or a string that must begin and end with forward slashes. In addition, it can contain any ASCII character from the ! (u0021) through the DEL character (u007F), including most punctuation characters, digits, and upper and lowercased letters.

For more information about paths, see IAM Identifiers in the IAM User Guide.

Default:
  • “/”

roles

Roles to attach this policy to.

You can also use attachToRole(role) to attach this policy to a role.

Default:
  • No roles.

statements

Initial set of permissions to add to this policy document.

You can also use addPermission(statement) to add permissions later.

Default:
  • No statements.

users

Users to attach this policy to.

You can also use attachToUser(user) to attach this policy to a user.

Default:
  • No users.