Adding and removing IAM identity permissions - Amazon Identity and Access Management
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Adding and removing IAM identity permissions

You use policies to define the permissions for an identity (user, user group, or role). You can add and remove permissions by attaching and detaching IAM policies for an identity using the Amazon Web Services Management Console, the Amazon Command Line Interface (Amazon CLI), or the Amazon API. You can also use policies to set permissions boundaries for only entities (users or roles) that are using the same methods. Permissions boundaries are an advanced Amazon feature that control the maximum permissions that an entity can have.

Terminology

When you associate permissions policies with identities (IAM users, IAM groups, and IAM roles), terminology and procedures vary depending on whether you are working with a managed or inline policy:

  • Attach – Used with managed policies. You attach a managed policy to an identity (a user, user group, or role). Attaching a policy applies the permissions in the policy to the identity.

  • Detach – Used with managed policies. You detach a managed policy from an IAM identity (a user, user group, or role). Detaching a policy removes its permissions from the identity.

  • Embed – Used with inline policies. You embed an inline policy in an identity (a user, user group, or role). Embedding a policy applies the permissions in the policy to the identity. Because an inline policy is stored in the identity, it is embedded rather than attached, though the results are similar.

    Note

    You can embed an inline policy for a service-linked role only in the service that depends on the role. See the Amazon documentation for your service to see whether it supports this feature.

  • Delete – Used with inline policies. You delete an inline policy from an IAM identity (a user, user group, or role). Deleting a policy removes its permissions from the identity.

    Note

    You can delete an inline policy for a service-linked role only in the service that depends on the role. See the Amazon documentation for your service to see whether it supports this feature.

You can use the console, Amazon CLI, or Amazon API to perform any of these actions.

More information

View identity activity

Before you change the permissions for an identity (user, user group, or role), you should review their recent service-level activity. This is important because you don't want to remove access from a principal (person or application) who is using it. For more information about viewing last accessed information, see Refine permissions in Amazon using last accessed information.

Adding IAM identity permissions (console)

You can use the Amazon Web Services Management Console to add permissions to an identity (user, user group, or role). To do this, attach managed policies that control permissions, or specify a policy that serves as a permissions boundary. You can also embed an inline policy.

To use a managed policy as a permissions policy for an identity (console)
  1. Sign in to the Amazon Web Services Management Console and open the IAM console at https://console.amazonaws.cn/iam/.

  2. In the navigation pane, choose Policies.

  3. In the list of policies, select the radio button next to the name of the policy to attach. You can use the search box to filter the list of policies.

  4. Choose Actions, and then choose Attach.

  5. Select one or more identities to attach the policy to. You can use the search box to filter the list of principal entities. After selecting the identities, choose Attach policy.

To use a managed policy to set a permissions boundary (console)
  1. Sign in to the Amazon Web Services Management Console and open the IAM console at https://console.amazonaws.cn/iam/.

  2. In the navigation pane, choose Policies.

  3. In the list of policies, choose the name of the policy to set. You can use the search box to filter the list of policies.

  4. On the policy details page, choose the Entities attached tab, and then, if necessary, open the Attached as a permissions boundaries section and choose Set this policy as a permissions boundary.

  5. Select one or more users or roles on which to use the policy for a permissions boundary. You can use the search box to filter the list of principal entities. After selecting the principals, choose Set permissions boundary.

To embed an inline policy for a user or role (console)
  1. Sign in to the Amazon Web Services Management Console and open the IAM console at https://console.amazonaws.cn/iam/.

  2. In the navigation pane, choose Users or Roles.

  3. In the list, choose the name of the user or role to embed a policy in.

  4. Choose the Permissions tab.

  5. Choose Add permissions and then choose Create inline policy.

    Note

    You cannot embed an inline policy in a service-linked role in IAM. Because the linked service defines whether you can modify the permissions of the role, you might be able to add additional policies from the service console, API, or Amazon CLI. To view the service-linked role documentation for a service, see Amazon services that work with IAM and choose Yes in the Service-Linked Role column for your service.

  6. Choose from the following methods to view the steps required to create your policy:

  7. After you create an inline policy, it is automatically embedded in your user or role.

To embed an inline policy for a user group (console)
  1. Sign in to the Amazon Web Services Management Console and open the IAM console at https://console.amazonaws.cn/iam/.

  2. In the navigation pane, choose User groups.

  3. In the list, choose the name of the user group to embed a policy in.

  4. Choose the Permissions tab, choose Add permissions, and then choose Create inline policy.

  5. Do one of the following:

  6. When you are satisfied with the policy, choose Create policy.

To change the permissions boundary for one or more entities (console)
  1. Sign in to the Amazon Web Services Management Console and open the IAM console at https://console.amazonaws.cn/iam/.

  2. In the navigation pane, choose Policies.

  3. In the list of policies, choose the name of the policy to set. You can use the search box to filter the list of policies.

  4. On the policy details page, choose the Entities attached tab, and then, if necessary, open the Attached as a permissions boundary section. Select the checkbox next to the users or roles whose boundaries you want to change and then choose Change.

  5. Select a new policy to use for a permissions boundary. You can use the search box to filter the list of policies. After selecting the policy, choose Set permissions boundary.

Removing IAM identity permissions (console)

You can use the Amazon Web Services Management Console to remove permissions from an identity (user, user group, or role). To do this, detach managed policies that control permissions, or remove a policy that serves as a permissions boundary. You can also delete an inline policy.

To detach a managed policy used as a permissions policy (console)
  1. Sign in to the Amazon Web Services Management Console and open the IAM console at https://console.amazonaws.cn/iam/.

  2. In the navigation pane, choose Policies.

  3. In the list of policies, select the radio button next to the name of the policy to detach. You can use the search box to filter the list of policies.

  4. Choose Actions, and then choose Detach.

  5. Select the identities to detach the policy from. You can use the search box to filter the list of identities. After selecting the identities, choose Detach policy.

To remove a permissions boundary (console)
  1. Sign in to the Amazon Web Services Management Console and open the IAM console at https://console.amazonaws.cn/iam/.

  2. In the navigation pane, choose Policies.

  3. In the list of policies, choose the name of the policy to set. You can use the search box to filter the list of policies.

  4. On the policy summary page, choose the Entities attached tab, and then, if necessary, open the Attached as a permissions boundary section and choose the entities to remove the permissions boundary from. Then choose Remove boundary.

  5. Confirm that you want to remove the boundary and choose Remove boundary.

To delete an inline policy (console)
  1. Sign in to the Amazon Web Services Management Console and open the IAM console at https://console.amazonaws.cn/iam/.

  2. In the navigation pane, choose User groups, Users, or Roles.

  3. In the list, choose the name of the user group, user, or role that has the policy you want to remove.

  4. Choose the Permissions tab.

  5. Select the checkbox next to the policy and choose Remove.

  6. Choose Remove in the confirmation box.

Adding IAM policies (Amazon CLI)

You can use the Amazon CLI to add permissions to an identity (user, user group, or role). To do this, attach managed policies that control permissions, or specify a policy that serves as a permissions boundary. You can also embed an inline policy.

To use a managed policy as a permissions policy for an entity (Amazon CLI)
  1. (Optional) To view information about a managed policy, run the following commands:

  2. To attach a managed policy to an identity (user, user group, or role), use one of the following commands:

To use a managed policy to set a permissions boundary (Amazon CLI)
  1. (Optional) To view information about a managed policy, run the following commands:

  2. To use a managed policy to set the permissions boundary for an entity (user or role), use one of the following commands:

To embed an inline policy (Amazon CLI)

To embed an inline policy to an identity (user, user group, or role that is not a service-linked role), use one of the following commands:

Removing IAM policies (Amazon CLI)

You can use the Amazon CLI to detach managed policies that control permissions, or remove a policy that serves as a permissions boundary. You can also delete an inline policy.

To detach a managed policy used as a permissions policy (Amazon CLI)
  1. (Optional) To view information about a policy, run the following commands:

  2. (Optional) To find out about the relationships between the policies and identities, run the following commands:

  3. To detach a managed policy from an identity (user, user group, or role), use one of the following commands:

To remove a permissions boundary (Amazon CLI)
  1. (Optional) To view which managed policy is currently used to set the permissions boundary for a user or role, run the following commands:

  2. (Optional) To view the users or roles on which a managed policy is used for a permissions boundary, run the following command:

  3. (Optional) To view information about a managed policy, run the following commands:

  4. To remove a permissions boundary from a user or role, use one of the following commands:

To delete an inline policy (Amazon CLI)
  1. (Optional) To list all inline policies that are attached to an identity (user, user group, role), use one of the following commands:

  2. (Optional) To retrieve an inline policy document that is embedded in an identity (user, user group, or role), use one of the following commands:

  3. To delete an inline policy from an identity (user, user group, or role that is not a service-linked role), use one of the following commands:

Adding IAM policies (Amazon API)

You can use the Amazon API to attach managed policies that control permissions or specify a policy that serves as a permissions boundary. You can also embed an inline policy.

To use a managed policy as a permissions policy for an entity (Amazon API)
  1. (Optional) To view information about a policy, call the following operations:

    • To list managed policies: ListPolicies

    • To retrieve detailed information about a managed policy: GetPolicy

  2. To attach a managed policy to an identity (user, user group, or role), call one of the following operations:

To use a managed policy to set a permissions boundary (Amazon API)
  1. (Optional) To view information about a managed policy, call the following operations:

    • To list managed policies: ListPolicies

    • To retrieve detailed information about a managed policy: GetPolicy

  2. To use a managed policy to set the permissions boundary for an entity (user or role), call one of the following operations:

To embed an inline policy (Amazon API)

To embed an inline policy in an identity (user, user group, or role that is not a service-linked role), call one of the following operations:

Removing IAM policies (Amazon API)

You can use the Amazon API to detach managed policies that control permissions or remove a policy that serves as a permissions boundary. You can also delete an inline policy.

To detach a managed policy used as a permissions policy (Amazon API)
  1. (Optional) To view information about a policy, call the following operations:

    • To list managed policies: ListPolicies

    • To retrieve detailed information about a managed policy: GetPolicy

  2. (Optional) To find out about the relationships between the policies and identities, call the following operations:

  3. To detach a managed policy from an identity (user, user group, or role), call one of the following operations:

To remove a permissions boundary (Amazon API)
  1. (Optional) To view which managed policy is currently used to set the permissions boundary for a user or role, call the following operations:

  2. (Optional) To view the users or roles on which a managed policy is used for a permissions boundary, call the following operation:

  3. (Optional) To view information about a managed policy, call the following operations:

    • To list managed policies: ListPolicies

    • To retrieve detailed information about a managed policy: GetPolicy

  4. To remove a permissions boundary from a user or role, call one of the following operations:

To delete an inline policy (Amazon API)
  1. (Optional) To list all inline policies that are attached to an identity (user, user group, role), call one of the following operations:

  2. (Optional) To retrieve an inline policy document that is embedded in an identity (user, user group, or role), call one of the following operations:

  3. To delete an inline policy from an identity (user, user group, or role that is not a service-linked role), call one of the following operations: