Managing access using policies - Amazon IoT Analytics
Identity-based policiesOther policy typesMultiple policy types
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

End of support notice: On December 15, 2025, Amazon will end support for Amazon IoT Analytics. After December 15, 2025, you will no longer be able to access the Amazon IoT Analytics console, or Amazon IoT Analytics resources. For more information, see Amazon IoT Analytics end of support.

Managing access using policies

You control access in Amazon by creating policies and attaching them to Amazon identities or resources. A policy defines permissions when associated with an identity or resource. Amazon evaluates these policies when a principal makes a request. Most policies are stored in Amazon as JSON documents. For more information about JSON policy documents, see Overview of JSON policies in the IAM User Guide.

Using policies, administrators specify who has access to what by defining which principal can perform actions on what resources, and under what conditions.

By default, users and roles have no permissions. An IAM administrator creates IAM policies and adds them to roles, which users can then assume. IAM policies define permissions regardless of the method used to perform the operation.

Identity-based policies

Identity-based policies are JSON permissions policy documents that you attach to an identity (user, group, or role). These policies control what actions identities can perform, on which resources, and under what conditions. To learn how to create an identity-based policy, see Define custom IAM permissions with customer managed policies in the IAM User Guide.

Identity-based policies can be inline policies (embedded directly into a single identity) or managed policies (standalone policies attached to multiple identities). To learn how to choose between managed and inline policies, see Choose between managed policies and inline policies in the IAM User Guide.

Other policy types

Amazon supports additional policy types that can set the maximum permissions granted by more common policy types:

  • Permissions boundaries – Set the maximum permissions that an identity-based policy can grant to an IAM entity. For more information, see Permissions boundaries for IAM entities in the IAM User Guide.

  • Service control policies (SCPs) – Specify the maximum permissions for an organization or organizational unit in Amazon Organizations. For more information, see Service control policies in the Amazon Organizations User Guide.

  • Resource control policies (RCPs) – Set the maximum available permissions for resources in your accounts. For more information, see Resource control policies (RCPs) in the Amazon Organizations User Guide.

  • Session policies – Advanced policies passed as a parameter when creating a temporary session for a role or federated user. For more information, see Session policies in the IAM User Guide.

Multiple policy types

When multiple types of policies apply to a request, the resulting permissions are more complicated to understand. To learn how Amazon determines whether to allow a request when multiple policy types are involved, see Policy evaluation logic in the IAM User Guide.