Set IAM Policies

Learning Objectives

After completing this unit, you will be able to:

  • Describe IAM policies and how they are used.
  • Explain the key elements of an IAM policy.

The root user can perform all actions on all resources inside an AWS account by default. This is in contrast to creating new IAM users, new groups, or new roles. New IAM identities can perform no actions inside your AWS account by default until you explicitly grant them permission.

Root user with unrestricted access to the cloud, and an IAM user with restricted access to the cloud following least-privilege principle

The way you grant permissions in IAM is by using IAM policies.

What Is an IAM Policy?

To manage access and provide permissions to AWS services and resources, you create IAM policies and attach them to IAM users, groups, and roles. Whenever a user or role makes a request, AWS evaluates the policies associated with them. For example, if you have a developer inside the developers group who makes a request to an AWS service, AWS evaluates any policies attached to the developers group and any policies attached to the developer user to determine if the request should be allowed or denied.

IAM Policy Examples

Most policies are stored in AWS as JSON documents with several policy elements. Take a look at the following example of what providing admin access through an IAM identity-based policy looks like.

    "Version": "2012-10-17",
    "Statement": [
            "Effect": "Allow",
            "Action": "*",
            "Resource": "*"

In this policy, there are four major JSON elements: Version, Effect, Action, and Resource.

  • The Version element defines the version of the policy language. It specifies the language syntax rules that are needed by AWS to process a policy. To use all the available policy features, include "Version": "2012-10-17" before the "Statement" element in all your policies.
  • The Effect element specifies whether the statement will allow or deny access. In this policy, the Effect is "Allow", which means you’re providing access to a particular resource.
  • The Action element describes the type of action that should be allowed or denied. In the above policy, the action is "*". This is called a wildcard, and it is used to symbolize every action inside your AWS account.
  • The Resource element specifies the object or objects that the policy statement covers. In the policy example above, the resource is also the wildcard "*". This represents all resources inside your AWS console.

 Putting all this information together, you have a policy that allows you to perform all actions on all resources inside your AWS account. This is what we refer to as an administrator policy

Let’s look at another example of a more granular IAM policy.

    "Version": "2012-10-17",
    "Statement": [
        "Effect": "Allow",
        "Action": [
            "iam: ChangePassword",
            "iam: GetUser"
        "Resource": "arn:aws:iam::123456789012:user/${aws:username}"

After looking at the JSON, you can see that this policy allows the IAM user to change their own IAM password (iam:ChangePassword) and get information about their own user (iam:GetUser). It only permits them to access their own credentials because the resource restricts access with the variable substitution ${aws:username}

Understand Policy Structure

When creating a policy, it is required to have each of the following elements inside a policy statement. 

Element Description Required Example


Specifies whether the statement results in an allow or an explicit deny

"Effect": "Deny"


Describes the specific actions that will be allowed or denied

"Action": "iam:CreateUser"


Specifies the object or objects that the statement covers

"Resource": "arn:aws:iam::account-ID-without-hyphens:user/Bob"

Wrap Up

IAM policies allow you to manage permissions and authorize IAM users, roles, and groups. Keep in mind that the AWS root user is different and cannot be authorized or restricted by IAM policies. In the next unit, you review IAM best practices and learn about an alternative to IAM.