Amazon managed policies for job functions - Amazon Identity and Access Management
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China.

Amazon managed policies for job functions

We recommend using policies that grant least privilege, or granting only the permissions required to perform a task. The most secure way to grant least privilege is to write a custom policy with only the permissions needed by your team. You must create a process to allow your team to request more permissions when necessary. It takes time and expertise to create IAM customer managed policies that provide your team with only the permissions they need.

To get started adding permissions to your IAM identities (users, groups of users, and roles), you can use Amazon managed policies. Amazon managed policies cover common use cases and are available in your Amazon account. Amazon managed policies don't grant least privilege permissions. You must consider the security risk of granting your principals more permissions than they need to do their job.

You can attach Amazon managed policies, including job functions, to any IAM identity. To switch to least privilege permissions, you can run Amazon Identity and Access Management Access Analyzer to monitor principals with Amazon managed policies. After learning which permissions they are using, then you can write a custom policy or generate a policy with only the required permissions for your team. This is less secure, but provides more flexibility as you learn how your team is using Amazon.

Amazon managed policies for job functions are designed to closely align to common job functions in the IT industry. You can use these policies to grant the permissions needed to carry out the tasks expected of someone in a specific job function. These policies consolidate permissions for many services into a single policy that's easier to work with than having permissions scattered across many policies.

Use Roles to Combine Services

Some of the policies use IAM service roles to help you take advantage of features found in other Amazon services. These policies grant access to iam:passrole, which allows a user with the policy to pass a role to an Amazon service. This role delegates IAM permissions to the Amazon service to carry out actions on your behalf.

You must create the roles according to your needs. For example, the Network Administrator policy allows a user with the policy to pass a role named "flow-logs-vpc" to the Amazon CloudWatch service. CloudWatch uses that role to log and capture IP traffic for VPCs created by the user.

To follow security best practices, the policies for job functions include filters that limit the names of valid roles that can be passed. This helps avoid granting unnecessary permissions. If your users do require the optional service roles, you must create a role that follows the naming convention specified in the policy. You then grant permissions to the role. Once that is done, the user can configure the service to use the role, granting it whatever permissions the role provides.

In the following sections, each policy's name is a link to the policy details page in the Amazon Web Services Management Console. There you can see the policy document and review the permissions it grants.

Administrator job function

Amazon managed policy name: AdministratorAccess

Use case: This user has full access and can delegate permissions to every service and resource in Amazon.

Policy updates: Amazon maintains and updates this policy. For a history of changes for this policy, view the policy in the IAM console and then choose the Policy versions tab. For more information about job function policy updates, see Updates to Amazon managed policies for job functions.

Policy description: This policy grants all actions for all Amazon services and for all resources in the account.

Note

Before an IAM user or role can access the Amazon Billing and Cost Management console with the permissions in this policy, you must first activate IAM user and role access. To do this, follow the instructions in Step 1 of the tutorial about delegating access to the billing console.

Billing job function

Amazon managed policy name: Billing

Use case: This user needs to view billing information, set up payments, and authorize payments. The user can monitor the costs accumulated for the entire Amazon service.

Policy updates: Amazon maintains and updates this policy. For a history of changes for this policy, view the policy in the IAM console and then choose the Policy versions tab. For more information about job function policy updates, see Updates to Amazon managed policies for job functions.

Policy description: This policy grants full permissions for managing billing, costs, payment methods, budgets, and reports.

Note

Before an IAM user or role can access the Amazon Billing and Cost Management console with the permissions in this policy, you must first activate IAM user and role access. To do this, follow the instructions in Step 1 of the tutorial about delegating access to the billing console.

Database administrator job function

Amazon managed policy name: DatabaseAdministrator

Use case: This user sets up, configures, and maintains databases in the Amazon Cloud.

Policy updates: Amazon maintains and updates this policy. For a history of changes for this policy, view the policy in the IAM console and then choose the Policy versions tab. For more information about job function policy updates, see Updates to Amazon managed policies for job functions.

Policy description: This policy grants permissions to create, configure, and maintain databases. It includes access to Amazon database services, such as Amazon DynamoDB, Amazon Relational Database Service (RDS), and Amazon Redshift. View the policy for the full list of database services that this policy supports.

This job function policy supports the ability to pass roles to Amazon services. The policy allows the iam:PassRole action for only those roles named in the following table. For more information, see Creating roles and attaching policies (console) later in this topic.

Optional IAM service roles for the database administrator job function
Use case Role name (* is a wildcard) Service role type to select Select this Amazon managed policy
Allow the user to monitor RDS databases rds-monitoring-role Amazon RDS Role for Enhanced Monitoring AmazonRDSEnhancedMonitoringRole
Allow Amazon Lambda to monitor your database and access external databases rdbms-lambda-access Amazon EC2 AWSLambda_FullAccess
Allow Lambda to upload files to Amazon S3 and to Amazon Redshift clusters with DynamoDB lambda_exec_role Amazon Lambda Create a new managed policy as defined in the Amazon Big Data Blog
Allow Lambda functions to act as triggers for your DynamoDB tables lambda-dynamodb-* Amazon Lambda AWSLambdaDynamoDBExecutionRole
Allow Lambda functions to access Amazon RDS in a VPC lambda-vpc-execution-role Create a role with a trust policy as defined in the Amazon Lambda Developer Guide AWSLambdaVPCAccessExecutionRole
Allow Amazon Data Pipeline to access your Amazon resources DataPipelineDefaultRole Create a role with a trust policy as defined in the Amazon Data Pipeline Developer Guide The Amazon Data Pipeline documentation lists the required permissions for this use case. See IAM roles for Amazon Data Pipeline
Allow your applications running on Amazon EC2 instances to access your Amazon resources DataPipelineDefaultResourceRole Create a role with a trust policy as defined in the Amazon Data Pipeline Developer Guide AmazonEC2RoleforDataPipelineRole

Data scientist job function

Amazon managed policy name: DataScientist

Use case: This user runs Hadoop jobs and queries. The user also accesses and analyzes information for data analytics and business intelligence.

Policy updates: Amazon maintains and updates this policy. For a history of changes for this policy, view the policy in the IAM console and then choose the Policy versions tab. For more information about job function policy updates, see Updates to Amazon managed policies for job functions.

Policy description: This policy grants permissions to create, manage, and run queries on an Amazon EMR cluster and perform data analytics with tools such as Amazon QuickSight. The policy includes access to additional data scientist services, such as Amazon Data Pipeline, Amazon EC2, Amazon Kinesis, Amazon Machine Learning, and SageMaker. View the policy for the full list of data scientist services that this policy supports.

This job function policy supports the ability to pass roles to Amazon services. One statement allows passing any role to SageMaker. Another statement allows the iam:PassRole action for only those roles named in the following table. For more information, see Creating roles and attaching policies (console) later in this topic.

Optional IAM service roles for the data scientist job function
Use case Role name (* is a wildcard) Service role type to select Amazon managed policy to select
Allow Amazon EC2 instances access to services and resources suitable for clusters EMR-EC2_DefaultRole Amazon EMR for EC2 AmazonElasticMapReduceforEC2Role
Allow Amazon EMR access to access the Amazon EC2 service and resources for clusters EMR_DefaultRole Amazon EMR AmazonEMRServicePolicy_v2
Allow Kinesis Kinesis Data Analytics to access streaming data sources kinesis-* Create a role with a trust policy as defined in the Amazon Big Data Blog. See the Amazon Big Data Blog, which outlines four possible options depending on your use case
Allow Amazon Data Pipeline to access your Amazon resources DataPipelineDefaultRole Create a role with a trust policy as defined in the Amazon Data Pipeline Developer Guide The Amazon Data Pipeline documentation lists the required permissions for this use case. See IAM roles for Amazon Data Pipeline
Allow your applications running on Amazon EC2 instances to access your Amazon resources DataPipelineDefaultResourceRole Create a role with a trust policy as defined in the Amazon Data Pipeline Developer Guide AmazonEC2RoleforDataPipelineRole

Developer power user job function

Amazon managed policy name: PowerUserAccess

Use case: This user performs application development tasks and can create and configure resources and services that support Amazon aware application development.

Policy updates: Amazon maintains and updates this policy. For a history of changes for this policy, view the policy in the IAM console and then choose the Policy versions tab. For more information about job function policy updates, see Updates to Amazon managed policies for job functions.

Policy description: The first statement of this policy uses the NotAction element to allow all actions for all Amazon services and for all resources except Amazon Identity and Access Management and Amazon Organizations. The second statement grants IAM permissions to create a service-linked role. This is required by some services that must access resources in another service, such as an Amazon S3 bucket. It also grants Organizations permissions to view information about the user's organization, including the management account email and organization limitations. Although this policy limits IAM and Organizations access, it allows the user to perform all Amazon Web Services SSO actions if Amazon Web Services SSO is enabled.

Network administrator job function

Amazon managed policy name: NetworkAdministrator

Use case: This user is tasked with setting up and maintaining Amazon network resources.

Policy updates: Amazon maintains and updates this policy. For a history of changes for this policy, view the policy in the IAM console and then choose the Policy versions tab. For more information about job function policy updates, see Updates to Amazon managed policies for job functions.

Policy description: This policy grants permissions to create and maintain network resources in Auto Scaling, Amazon EC2, Amazon Direct Connect, Route 53, Amazon CloudFront, Elastic Load Balancing, Amazon Elastic Beanstalk, Amazon SNS, CloudWatch, CloudWatch Logs, Amazon S3, IAM, and Amazon Virtual Private Cloud.

This job function requires the ability to pass roles to Amazon services. The policy grants iam:GetRole and iam:PassRole for only those roles named in the following table. For more information, see Creating roles and attaching policies (console) later in this topic.

Optional IAM service roles for the network administrator job function
Use case Role name (* is a wildcard) Service role type to select Amazon managed policy to select
Allows Amazon VPC to create and manage logs in CloudWatch Logs on the user's behalf to monitor IP traffic going in and out of your VPC flow-logs-* Create a role with a trust policy as defined in the Amazon VPC User Guide This use case does not have an existing Amazon managed policy, but the documentation lists the required permissions. See Amazon VPC User Guide.

Read-only access

Amazon managed policy name: ReadOnlyAccess

Use case: This user requires read-only access to every resource in an Amazon account.

Policy updates: Amazon maintains and updates this policy. For a history of changes for this policy, view the policy in the IAM console and then choose the Policy versions tab. For more information about job function policy updates, see Updates to Amazon managed policies for job functions.

Policy description: This policy grants permissions to list, get, describe, and otherwise view resources and their attributes. It does not include mutating functions like create or delete. This policy does include read-only access to security-related Amazon services, such as Amazon Identity and Access Management and Amazon Billing and Cost Management. View the policy for the full list of services and actions that this policy supports.

Security auditor job function

Amazon managed policy name: SecurityAudit

Use case: This user monitors accounts for compliance with security requirements. This user can access logs and events to investigate potential security breaches or potential malicious activity.

Policy updates: Amazon maintains and updates this policy. For a history of changes for this policy, view the policy in the IAM console and then choose the Policy versions tab. For more information about job function policy updates, see Updates to Amazon managed policies for job functions.

Policy description: This policy grants permissions to view configuration data for many Amazon services and to review their logs.

Support user job function

Amazon managed policy name: SupportUser

Use case: This user contacts Amazon Support, creates support cases, and views the status of existing cases.

Policy updates: Amazon maintains and updates this policy. For a history of changes for this policy, view the policy in the IAM console and then choose the Policy versions tab. For more information about job function policy updates, see Updates to Amazon managed policies for job functions.

Policy description: This policy grants permissions to create and update Amazon Support cases.

System administrator job function

Amazon managed policy name: SystemAdministrator

Use case: This user sets up and maintains resources for development operations.

Policy updates: Amazon maintains and updates this policy. For a history of changes for this policy, view the policy in the IAM console and then choose the Policy versions tab. For more information about job function policy updates, see Updates to Amazon managed policies for job functions.

Policy description: This policy grants permissions to create and maintain resources across a large variety of Amazon services, including Amazon CloudTrail, Amazon CloudWatch, Amazon CodeCommit, Amazon CodeDeploy, Amazon Config, Amazon Directory Service, Amazon EC2, Amazon Identity and Access Management, Amazon Key Management Service, Amazon Lambda, Amazon RDS, Route 53, Amazon S3, Amazon SES, Amazon SQS, Amazon Trusted Advisor, and Amazon VPC.

This job function requires the ability to pass roles to Amazon services. The policy grants iam:GetRole and iam:PassRole for only those roles named in the following table. For more information, see Creating roles and attaching policies (console) later in this topic.

Optional IAM service roles for the system administrator job function
Use case Role name (* is a wildcard) Service role type to select Amazon managed policy to select
Allow apps running in EC2 instances in an Amazon ECS cluster to access Amazon ECS ecr-sysadmin-* Amazon EC2 Role for EC2 Container Service AmazonEC2ContainerServiceforEC2Role
Allow a user to monitor databases rds-monitoring-role Amazon RDS Role for Enhanced Monitoring AmazonRDSEnhancedMonitoringRole
Allow apps running in EC2 instances to access Amazon resources. ec2-sysadmin-* Amazon EC2 Sample policy for role that grants access to an S3 bucket as shown in the Amazon EC2 User Guide for Linux Instances; customize as needed
Allow Lambda to read DynamoDB streams and write to CloudWatch Logs lambda-sysadmin-* Amazon Lambda AWSLambdaDynamoDBExecutionRole

View-only user job function

Amazon managed policy name: ViewOnlyAccess

Use case: This user can view a list of Amazon resources and basic metadata in the account across all services. The user cannot read resource content or metadata that goes beyond the quota and list information for resources.

Policy updates: Amazon maintains and updates this policy. For a history of changes for this policy, view the policy in the IAM console and then choose the Policy versions tab. For more information about job function policy updates, see Updates to Amazon managed policies for job functions.

Policy description: This policy grants List*, Describe*, Get*, View*, and Lookup* access to resources for most Amazon services. To see what actions this policy includes for each service, see ViewOnlyAccess.

Updates to Amazon managed policies for job functions

These policies are all maintained by Amazon and are kept up to date to include support for new services and new capabilities as they are added by Amazon services. These policies cannot be modified by customers. You can make a copy of the policy and then modify the copy, but that copy is not automatically updated as Amazon introduces new services and API operations.

For a job function policy, you can view the version history and the time and date of each update in the IAM console. To do this, use the links on this page to view the policy details. Then choose the Policy versions tab to view the versions. This page shows the last 25 versions of a policy. To view all of the versions for a policy, call the get-policy-version Amazon CLI command or the GetPolicyVersion API operation.

Note

You can have up to five versions of a customer managed policy, but Amazon retains the full version history of Amazon managed policies.