Creating IAM policies - Amazon Identity and Access Management
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Creating IAM policies

A policy is an entity that, when attached to an identity or resource, defines their permissions. You can use the Amazon Web Services Management Console, Amazon CLI, or Amazon API to create customer managed policies in IAM. Customer managed policies are standalone policies that you administer in your own Amazon Web Services account. You can then attach the policies to identities (users, groups, and roles) in your Amazon Web Services account.

A policy that is attached to an identity in IAM is known as an identity-based policy. Identity-based policies can include Amazon managed policies, customer managed policies, and inline policies. Amazon managed policies are created and managed by Amazon. You can use them, but you can't manage them. An inline policy is one that you create and embed directly to an IAM group, user, or role. Inline policies can't be reused on other identities or managed outside of the identity where it exists. For more information, see Adding and removing IAM identity permissions.

Use customer managed policies instead of inline policies. It's also best to use customer managed policies instead of Amazon managed policies. Amazon managed policies usually provide broad administrative or read-only permissions. For greatest security, grant least privilege, which is granting only the permissions required to perform specific job tasks.

When you create or edit IAM policies, Amazon can automatically perform policy validation to help you create an effective policy with least privilege in mind. In the Amazon Web Services Management Console, IAM identifies JSON syntax errors, while IAM Access Analyzer provides additional policy checks with recommendations to help you further refine your policies. To learn more about policy validation, see Validating IAM policies. To learn more about IAM Access Analyzer policy checks and actionable recommendations, see IAM Access Analyzer policy validation.

You can use the Amazon Web Services Management Console, Amazon CLI, or Amazon API to create customer managed policies in IAM. For more information about using Amazon CloudFormation templates to add or update policies, see Amazon Identity and Access Management resource type reference in the Amazon CloudFormation User Guide.