Creating IAM policies (Amazon CLI) - Amazon Identity and Access Management
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Creating IAM policies (Amazon CLI)

A policy is an entity that, when attached to an identity or resource, defines their permissions. You can use the Amazon CLI to create customer managed policies in IAM. Customer managed policies are standalone policies that you administer in your own Amazon Web Services account. As a best practice, we recommend that you use IAM Access Analyzer to validate your IAM policies to ensure secure and functional permissions. By validating your policies you can address any errors or recommendations before you attach the policies to identities (users, groups, and roles) in your Amazon Web Services account.

The number and size of IAM resources in an Amazon account are limited. For more information, see IAM and Amazon STS quotas.

Creating IAM policies (Amazon CLI)

You can create an IAM customer managed policy or an inline policy using the Amazon Command Line Interface (Amazon CLI).

To create a customer managed policy (Amazon CLI)

Use the following command:

To create an inline policy for an IAM identity (group, user or role) (Amazon CLI)

Use one of the following commands:


You can't use IAM to embed an inline policy for a service-linked role.

To validate a customer managed policy (Amazon CLI)

Use the following IAM Access Analyzer command: