policy document
- IAM permission policies are attached to roles that determine what tasks the role can perform. Limit permissions to only the actions the role needs to perform, and only the resources the role needs to perform those actions. You can use AWS-managed or customer-created IAM permission policies
- Actions: Which actions you will allow. Each AWS service has its own set of operations. For example, you might allow users to use the Amazon S3 ListBucket operation, which returns information about the items in the bucket. Any action that you do not explicitly allow will be denied.
- Resources: Which resources you are allowed to perform operations on. For example, which specific Amazon S3 buckets will you allow users to perform ListBucket operations on? Users cannot access any resources for which you have not explicitly granted permission.
- Effect: What effect (allow or deny) will occur when the user requests access. Because the default is to deny users access to resources, you typically need to specify that you will allow users to access resources.
{
"Version": "2012-10-17",
"Statement": {
"Effect": "Allow",
"Action": [ "A list of the permissions the role is allowed to use" ],
"Resource": [ "A list of the resources the role is allowed to access" ]
}
}
- The trust policy that allows the service to assume the role. For example, you can attach the following trust policy to a role with the UpdateAssumeRolePolicy action. The trust policy allows Amazon EC2 to use the role and the permissions attached to the role.
{
"Version": "2012-10-17",
"Statement": {
"Sid": "TrustPolicyStatementThatAllowsEC2ServiceToAssumeTheAttachedRole"
"Effect": "Allow",
"Principal": { "Service": "ec2.amazonaws.com" },
"Action": "sts:AssumeRole"
}
}
- IAM permission policies are attached to IAM users that allow users to grant only those approved policies. iam:PassRole is often used in conjunction with iam:GetRole to enable the user to get details of the role that is ready for pass. In this example, users can only pass roles whose names start with EC2-roles-for-XYZ-:
{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Action": [
"iam:GetRole",
"iam:PassRole"
],
"Resource": "arn:aws:iam::*:role/EC2-roles-for-XYZ-*"
}]
}
- Policy to Authorize Users to Launch Instances with Any Role Using the Amazon EC2 Console
{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Action": [
"iam:PassRole",
"iam:ListInstanceProfiles",
"ec2:*"
],
"Resource": "*"
}]
}
- The following example policy enables users to launch instances from roles using the Amazon EC2 API. The Resource element specifies the Amazon Resource Name (ARN) of the role. By specifying the ARN, the policy grants the user permission to pass only the Get-pics role. If the user tries to assign a different role when launching the instance, the operation fails.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "ec2:RunInstances",
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "iam:PassRole",
"Resource": "arn:aws:iam::ACCOUNT-ID-WITHOUT-HYPHENS:role/Get-pics"
}
]
}
- To create a user, the user must have the iam:CreateUser permission (API command: CreateUser). To allow a user to create other IAM users, you can attach a policy similar to the following to the user:
{
"Version": "2012-10-17",
"Statement": {
"Effect": "Allow",
"Action": "iam:CreateUser",
"Resource": "*"
}
}
- Allow users to manage their own passwords (from the "My Password" page)
- If the account's password policy is not set to allow all users to change their own passwords, you can attach the following policy to selected users or groups to allow those users to change only their own passwords. This policy only allows users to use the special "My Password" page in the console, and does not grant users permission to work through the control panel in the IAM console.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "iam:GetAccountPasswordPolicy",
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "iam:ChangePassword",
"Resource": "arn:aws:iam::account-id-without-hyphens:user/${aws:username}"
}
]
}
- Allow users to manage their own passwords, access keys and SSH keys
- Create, change or delete your own password. This includes the CreateLoginProfile, DeleteLoginProfile, GetLoginProfile, and UpdateLoginProfile operations.
- Create or delete your own access keys (Access Key ID and Secret Access Key). This includes the CreateAccessKey, DeleteAccessKey, GetAccessKeyLastUsed, ListAccessKeys, and UpdateAccessKey operations.
- Create or delete your own SSH keys. This includes the UploadSSHPublicKey, DeleteSSHPublicKey, GetSSHPublicKey, ListSSHPublicKeys, and UpdateSSHPublicKey operations.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"iam:*LoginProfile",
"iam:*AccessKey*",
"iam:*SSHPublicKey*"
],
"Resource": "arn:aws:iam::account-id-without-hyphens:user/${aws:username}"
},
{
"Effect": "Allow",
"Action": [
"iam:ListAccount*",
"iam:GetAccountSummary",
"iam:GetAccountPasswordPolicy",
"iam:ListUsers"
],
"Resource": "*"
}
]
}
- The actions in the above policy contain wildcards (eg iam: LoginProfile, iam:* AccessKey, and iam: SSHPublicKey ). This method can easily contain a set of related operations. If you want to remove permissions for any of the related operations, you must instead list each individual operation. For example, if you do not want users to be able to delete passwords, you must list iam:CreateLoginProfile, iam:GetLoginProfile, and iam:UpdateLoginProfile separately, and ignore iam:DeleteLoginProfile.
- The second element in the Statement array (including the iam:GetAccountSummary, iam:GetAccountPasswordPolicy, iam:ListAccount*, and iam:ListUsers permissions) allows the user to view specific information on the IAM console dashboard, such as whether password policy is enabled, the account Number of owned groups, account URLs and aliases, etc. For example, the GetAccountSummary operation returns an object that contains a collection of information about the account that is later displayed on the IAM console dashboard.
- The following policy is similar to the previous one, but does not include the permissions required only for console access. This policy allows users to manage their own credentials using the AWS CLI, Tools for Windows PowerShell, AWS SDKs, or the IAM HTTP Query API.
{
"Version": "2012-10-17",
"Statement": {
"Effect": "Allow",
"Action": [
"iam:*LoginProfile",
"iam:*AccessKey*",
"iam:*SSHPublicKey*"
],
"Resource": "arn:aws:iam::account-id-without-hyphens:user/${aws:username}"
}
}
- Allows users to list an account's groups, users, policies, etc. for reporting purposes
{
"Version": "2012-10-17",
"Statement": {
"Effect": "Allow",
"Action": [
"iam:Get*",
"iam:List*"
],
"Resource": "*"
}
}
- Allow users to manage group membership
{
"Version": "2012-10-17",
"Statement": {
"Effect": "Allow",
"Action": [
"iam:AddUserToGroup",
"iam:RemoveUserFromGroup",
"iam:GetGroup"
],
"Resource": "arn:aws:iam::account-id-without-hyphens:group/MarketingGroup"
}
}
- Allow users to manage IAM users
- Create a user (CreateUser action).
- delete users. This task requires permissions to perform all of the following operations: DeleteSigningCertificate, DeleteLoginProfile, RemoveUserFromGroup, and DeleteUser.
- List users in accounts and groups (GetUser, ListUsers, and ListGroupsForUser operations).
- Policies for listing and deleting users (ListUserPolicies, ListAttachedUserPolicies, DetachUserPolicy, and DeleteUserPolicy actions)
- Rename or change the user's path (UpdateUser operation). The Resource element must include ARNs involving the source and destination paths. For more information about paths, see Friendly Names and Paths.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowUsersToPerformUserActions",
"Effect": "Allow",
"Action": [
"iam:CreateUser",
"iam:ListUsers",
"iam:GetUser",
"iam:UpdateUser",
"iam:DeleteUser",
"iam:ListGroupsForUser",
"iam:ListUserPolicies",
"iam:ListAttachedUserPolicies",
"iam:DeleteSigningCertificate",
"iam:DeleteLoginProfile",
"iam:RemoveUserFromGroup",
"iam:DetachUserPolicy",
"iam:DeleteUserPolicy"
],
"Resource": "*"
},
{
"Sid": "AllowUsersToSeeStatsOnIAMConsoleDashboard",
"Effect": "Allow",
"Action": [
"iam:GetAccount*",
"iam:ListAccount*"
],
"Resource": "*"
}
]
}
- Allow users to set account password policies
{
"Version": "2012-10-17",
"Statement": {
"Effect": "Allow",
"Action": [
"iam:GetAccountPasswordPolicy",
"iam:UpdateAccountPasswordPolicy"
],
"Resource": "*"
}
}
- Allows users to generate and retrieve IAM credential reports
{
"Version": "2012-10-17",
"Statement": {
"Effect": "Allow",
"Action": [
"iam:GenerateCredentialReport",
"iam:GetCredentialReport"
],
"Resource": "*"
}
}
- Only allow users to manage their own virtual MFA devices
- The following policies allow users to configure and manage their virtual MFA devices from the AWS Management Console or using any command-line tool. This policy only allows MFA-authenticated users to deactivate and delete their virtual MFA devices.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowUsersToCreateEnableResyncDeleteTheirOwnVirtualMFADevice",
"Effect": "Allow",
"Action": [
"iam:CreateVirtualMFADevice",
"iam:EnableMFADevice",
"iam:ResyncMFADevice",
"iam:DeleteVirtualMFADevice"
],
"Resource": [
"arn:aws:iam::account-id-without-hyphens:mfa/${aws:username}",
"arn:aws:iam::account-id-without-hyphens:user/${aws:username}"
]
},
{
"Sid": "AllowUsersToDeactivateTheirOwnVirtualMFADevice",
"Effect": "Allow",
"Action": [
"iam:DeactivateMFADevice"
],
"Resource": [
"arn:aws:iam::account-id-without-hyphens:mfa/${aws:username}",
"arn:aws:iam::account-id-without-hyphens:user/${aws:username}"
],
"Condition": {
"Bool": {
"aws:MultiFactorAuthPresent": true
}
}
},
{
"Sid": "AllowUsersToListMFADevicesandUsersForConsole",
"Effect": "Allow",
"Action": [
"iam:ListMFADevices",
"iam:ListVirtualMFADevices",
"iam:ListUsers"
],
"Resource": "*"
}
]
}
- Notice:
- The operation iam:DeleteVirtualMFADevice is contained in the first statement instead of the second statement, so it is not affected by the MFA condition check. This is not a security issue because you can only remove an MFA device after it has been deactivated, which requires the user to authenticate with MFA. This prevents situations where you cancel the Create MFA Device wizard after the device has been created but before the two codes have been validated and associated with the user. Since the user is not yet MFA authenticated at this point, the wizard (executed with that user privilege) will not be able to erase the device if the policy requires MFA authentication to remove the device
- Strategies are documents created using JSON. A policy consists of one or more statements, each of which describes a set of permissions. The following is an example of a simple strategy.
{
"Version": "2012-10-17",
"Statement": {
"Effect": "Allow",
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::example_bucket"
}
}
- The following example demonstrates a policy that can be attached to an Amazon S3 bucket and grant a specific AWS account permission to perform any Amazon S3 operation in mybucket. This includes working with buckets and the objects in them. (Because the policy only grants trust to the account, each user in the account must still be granted permission to perform the specified Amazon S3 operations.)
{
"Version": "2012-10-17",
"Id": "S3-Account-Permissions",
"Statement": [{
"Sid": "1",
"Effect": "Allow",
"Principal": {"AWS": ["arn:aws:iam::ACCOUNT-ID-WITHOUT-HYPHENS:root"]},
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::mybucket",
"arn:aws:s3:::mybucket/*"
]
}]
}
- Policies that allow to create, update, delete, list, get all policies and set default versions of those policies
{
"Version": "2012-10-17",
"Statement": {
"Effect": "Allow",
"Action": [
"iam:CreatePolicy",
"iam:CreatePolicyVersion",
"iam:DeletePolicy",
"iam:DeletePolicyVersion",
"iam:GetPolicy",
"iam:GetPolicyVersion",
"iam:ListPolicies",
"iam:ListPolicyVersions",
"iam:SetDefaultPolicyVersion"
],
"Resource": "*"
}
}
- Only allow policies to delete policy versions and set default versions for specific policies
{
"Version": "2012-10-17",
"Statement": {
"Effect": "Allow",
"Action": [
"iam:DeletePolicyVersion",
"iam:SetDefaultPolicyVersion"
],
"Resource": "arn:aws:iam::ACCOUNT-ID-WITHOUT-HYPHENS:policy/TEAM-A/*"
}
}
- Only policies that allow managed policies to be attached to specific groups or roles
{
"Version": "2012-10-17",
"Statement": {
"Effect": "Allow",
"Action": [
"iam:AttachGroupPolicy",
"iam:AttachRolePolicy"
],
"Resource": [
"arn:aws:iam::ACCOUNT-ID-WITHOUT-HYPHENS:group/TEAM-A/*",
"arn:aws:iam::ACCOUNT-ID-WITHOUT-HYPHENS:role/TEAM-A/*"
]
}
}
- This policy exhibits both allow and deny for the same service.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "FullAccess",
"Effect": "Allow",
"Action": ["s3:*"],
"Resource": ["*"]
},
{
"Sid": "DenyCustomerBucket",
"Action": ["s3:*"],
"Effect": "Deny",
"Resource": ["arn:aws:s3:::customer", "arn:aws:s3:::customer/*" ]
}
]
}
- This policy provides row-level access to Amazon DynamoDB based on the user Amazon Cognito ID.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"dynamodb:DeleteItem",
"dynamodb:GetItem",
"dynamodb:PutItem",
"dynamodb:Query",
"dynamodb:UpdateItem"
],
"Resource": [
"arn:aws:dynamodb:us-west-1:123456789012:table/myDynamoTable"
],
"Condition": {
"ForAllValues:StringEquals": {
"dynamodb:LeadingKeys": [
"${cognito-identity.amazonaws.com:sub}"
]
}
}
}
]
}
- MultipleResourceCondition
{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Action": ["s3:PutObject", "s3:PutObjectAcl"],
"Resource": ["arn:aws:s3:::Apple_bucket/*"],
"Condition": {
"StringEquals": {
"s3:x-amz-acl": ["public-read"]
}
}
}, {
"Effect": "Allow",
"Action": ["s3:PutObject", "s3:PutObjectAcl"],
"Resource": ["arn:aws:s3:::Orange_bucket/*"],
"Condition": {
"StringEquals": {
"s3:prefix": ["custom", "other"]
}
}
}]
}
- Allow users to access specific buckets in Amazon S3
- In the following policy, you need to replace EXAMPLE-BUCKET-NAME with your bucket name.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "s3:ListAllMyBuckets",
"Resource": "arn:aws:s3:::*"
},
{
"Effect": "Allow",
"Action": [
"s3:ListBucket",
"s3:GetBucketLocation"
],
"Resource": "arn:aws:s3:::EXAMPLE-BUCKET-NAME"
},
{
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:DeleteObject"
],
"Resource": "arn:aws:s3:::EXAMPLE-BUCKET-NAME/*"
}
]
}
- Allow users to access personal "home directories" in Amazon S3
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:ListAllMyBuckets",
"s3:GetBucketLocation"
],
"Resource": "arn:aws:s3:::*"
},
{
"Effect": "Allow",
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::BUCKET-NAME",
"Condition": {"StringLike": {"s3:prefix": [
"",
"home/",
"home/${aws:username}/*"
]}}
},
{
"Effect": "Allow",
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::BUCKET-NAME/home/${aws:username}",
"arn:aws:s3:::BUCKET-NAME/home/${aws:username}/*"
]
}
]
}
- Allow users logged in with Amazon Cognito to access their Amazon S3 folders
- The policies shown in the following examples can be used in mobile applications that use Amazon Cognito. This condition ensures that the name of the object in the Amazon S3 bucket represented by EXAMPLE-BUCKET-NAME only contains the provider name (cognito here), the friendly name of the application (mynumbersgame here), and the federated user's ID users can only access these objects.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": ["s3:ListBucket"],
"Resource": ["arn:aws:s3:::EXAMPLE-BUCKET-NAME"],
"Condition": {"StringLike": {"s3:prefix": ["cognito/mynumbersgame/"]}}
},
{
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:PutObject",
"s3:DeleteObject"
],
"Resource": [
"arn:aws:s3:::EXAMPLE-BUCKET-NAME/cognito/mynumbersgame/${cognito-identity.amazonaws.com:sub}",
"arn:aws:s3:::EXAMPLE-BUCKET-NAME/cognito/mynumbersgame/${cognito-identity.amazonaws.com:sub}/*"
]
}
]
}
- Allows users to access all operations performed on DynamoDB tables whose names match the user's name
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "dynamodb:*",
"Resource": "arn:aws:dynamodb:AWS-REGION-IDENTIFIER:ACCOUNT-ID-WITHOUT-HYPHENS:table/${aws:username}"
}
]
}
- The policy uses a policy variable (${aws:username}) that is evaluated at runtime and contains the friendly name of the IAM user making the request.
- Block requests not from approved IP addresses or ranges
- The aws:SourceIp condition key is only valid in an IAM policy if you are calling the API under test directly as a user. If you instead use a service to call the target service on your behalf, the target service sees the IP address of the calling service instead of the source user's IP address. This happens, for example, if you use AWS CloudFormation to call Amazon EC2 to build an instance. Currently, calling a target service through a service cannot pass the source IP address, so it cannot be evaluated in an IAM policy. Do not use the aws:SourceIp condition key for these service API call types.
{
"Version": "2012-10-17",
"Statement": {
"Effect": "Deny",
"Action": "*",
"Resource": "*",
"Condition": {"NotIpAddress": {"aws:SourceIp": [
"192.0.2.0/24",
"203.0.113.0/24"
]}}
}
}
- Programmatic read and write permissions
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": ["s3:ListBucket"],
"Resource": ["arn:aws:s3:::test"]
},
{
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:DeleteObject"
],
"Resource": ["arn:aws:s3:::test/*"]
}
]
}
- Let the AWS Management Console access the Amazon S3 bucket
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:GetBucketLocation",
"s3:ListAllMyBuckets"
],
"Resource": "arn:aws:s3:::*"
},
{
"Effect": "Allow",
"Action": ["s3:ListBucket"],
"Resource": ["arn:aws:s3:::test"]
},
{
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:DeleteObject"
],
"Resource": ["arn:aws:s3:::test/*"]
}
]
}