Create your first IAM policy - Amazon Identity and Access Management
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Create your first IAM policy

You grant permissions to an IAM entity (IAM user or IAM role) by creating a policy, which is a document that lists the actions that the entity can perform and the resources those actions can affect. Any actions or resources that are not explicitly allowed are denied by default. Policies can be created and attached to IAM users, IAM groups of users, IAM roles, and resources.

These policies are used with an IAM role:

  • Trust policy – Defines which principal can assume the role, and under which conditions. A trust policy is a specific type of resource-based policy for IAM roles. A role can have only one trust policy.

  • Identity-based policies (inline and managed) – These policies define the permissions that the user of the role is able to perform (or is denied from performing), and on which resources.

Use the Example IAM identity-based policies to help you define permissions for your IAM identities. After you find the policy that you need, choose view the policy to view the JSON for the policy. You can use the JSON policy document as a template for your own policies.

IAM policies are attached to IAM identities (users, groups of users, or roles) or Amazon resources. A policy is an object in Amazon that, when associated with an identity or resource, defines their permissions.

To create your first IAM policy

  1. Follow the sign-in procedure appropriate to your user type as described in the topic How to sign in to Amazon in the Amazon Sign-In User Guide.

  2. On the Console Home page, select the IAM service.

  3. In the navigation pane, choose Policies.

    If this is your first time choosing Policies, the Welcome to Managed Policies page appears. Choose Get Started.

  4. Choose Create policy.

  5. On the Create policy page, choose Actions and then choose Import policy.

  6. In the Import policy window, in the Find policies box, type power to reduce the list of policies. Choose the PowerUserAccess policy.

  7. Choose Import policy. The policy displays in the JSON tab.

  8. Choose Next.

  9. On the Review and create page, for Policy name, type PowerUserExamplePolicy. For Description, type Allows full access to all services except those for user management. Then choose Create policy to save the policy.

You can attach this policy to a role to provide users who assume that role the permissions associated with this policy. The PowerUserAccess policy is commonly used to provide access to developers.