iam-policy-in-use - AWS Config


Checks whether the IAM policy ARN is attached to an IAM user, or a group with one or more IAM users, or an IAM role with one or more trusted entity.


The AWS::IAM::User resource type can only be recorded by AWS Config in Regions where AWS Config was available before February 2022. AWS::IAM::User cannot be recorded in Regions supported by AWS Config after February 2022.

Additionally, if you have selected to record AWS::IAM::User in at least one Region, periodic rules such as this rule that report compliance on AWS::IAM::User will run evaluations on AWS::IAM::User in all Regions where the periodic rule is added, even if you have not enabled the recording of AWS::IAM::User in the Region where the periodic rule was added.

You should only deploy this rule to one of the supported Regions to avoid unnecessary evaluations and API throttling. Not enabling the recording of global IAM resource types will not prevent this rule from running evaluations, if you have enable the recording of global IAM resource types in another Region. To avoid unnecessary evaluations, you should limit the deployment of this rule to one Region.


Resource Types: AWS::IAM::Policy

Trigger type: Periodic

AWS Region: All supported AWS regions except Africa (Cape Town), Middle East (UAE), Asia Pacific (Hyderabad), Asia Pacific (Osaka), Asia Pacific (Melbourne), Europe (Milan), Israel (Tel Aviv), Canada West (Calgary), Europe (Spain), Europe (Zurich) Region


Type: String

An IAM policy ARN to be checked.

policyUsageType (Optional)
Type: String

Specify whether you expect the policy to be attached to an IAM user, group or role. Valid values are IAM_USER, IAM_GROUP, IAM_ROLE, or ANY. Default value is ANY.

AWS CloudFormation template

To create AWS Config managed rules with AWS CloudFormation templates, see Creating AWS Config Managed Rules With AWS CloudFormation Templates.