A policy that allows starting or stopping a specific EC2 instance and modifying a specific security group (Programmatically and in the Console).

A policy that allows listing information for all EC2 objects and launching EC2 instances in a specific subnet. This policy also provides the permissions necessary to complete this action on the console.

A policy that allows managing Amazon EC2 security groups associated with a specific virtual private cloud (VPC). This policy also provides the permissions necessary to complete this action on the console.

A policy hat allows full EC2 access within a specific region. This policy also provides the permissions necessary to complete this action on the console.

An IAM policy that prevents users from creating their own security groups, and allows users to only launch approved AMIs (Amazon Machine Images). Approved images are identified with Tags (Example, Tag Key: Approved, Tag Value: True). This policy provides the permissions necessary to complete this action programmatically or from the console.

An IAM policy that allows an IAM user to start or stop EC2 instances, but only if the instance tag Owner has the value of that user's user name. This policy also provides the permissions necessary to complete this action on the console.

An IAM policy that prevents users from terminating EC2 instances when the request does not come from a specified IP range. This policy provides the permissions necessary to complete this action using the AWS API or AWS CLI only

An IAM policy that prevents users from launching new EC2 Instances if they are not configured to use the new Instance Metadata Service (IMDSv2)

A policy that allows IAM users to access their own home directory in S3. The home directory is a bucket that includes a home folder and folders for individual users (Programmatically and in the Console).

A policy that limits managing an S3 bucket by allowing all S3 actions on the specific bucket, but explicitly denying access to every AWS service except Amazon S3. This policy also denies access to actions that can't be performed on an S3 bucket, such as s3:ListAllMyBuckets or s3:GetObject. This policy provides the permissions necessary to complete this action using the AWS API or AWS CLI only.

A policy that allows Read and Write access to a specific S3 bucket. This policy provides the permissions necessary to complete this action using the AWS API or AWS CLI only.

A policy that allows Read and Write access to a specific S3 bucket. This policy also provides the permissions necessary to complete this action on the console.

A policy that allows Read access to a specific folder within an S3 bucket. This policy provides the permissions necessary to complete this action using the AWS API or AWS CLI only.

A policy that allows write access to a specific folder within an S3 bucket. This policy provides the permissions necessary to complete this action using the AWS API or AWS CLI only.

A policy that allows IAM users to self-manage an MFA device. This policy provides the permissions necessary to complete this action using the AWS API or AWS CLI only.

A policy that allows IAM users to rotate their own access keys, signing certificates, service specific credentials, and passwords. This policy also provides the permissions necessary to complete this action programmatically and on the console.

A policy that allows using the policy simulator API for policies attached to a user, group, or role in the current AWS account. This policy also allows access to simulate less sensitive policies passed to the API as strings. This policy provides the permissions necessary to complete this action using the AWS API or AWS CLI only.

A policy that allows using the policy simulator console for policies attached to a user, group, or role in the current AWS account.

A policy that allows full access to a DynamoDB table with the specified name. This policy provides the permissions necessary to complete this action using the AWS API or AWS CLI only.

A policy that allows access to the specific DynamoDB columns. This policy provides the permissions necessary to complete this action using the AWS API or AWS CLI only.

An IAM policy that grants permissions for the GetItem and BatchGetItem DynamoDB actions only and thereby sets read-only access to a table. This policy provides the permissions necessary to complete this action using the AWS API or AWS CLI only.

An IAM policy that grants permissions policy grants permissions for all of the DynamoDB actions on a specific table and all of the table's indexes. This policy provides the permissions necessary to complete this action using the AWS API or AWS CLI only.

An IAM policy that allows users to view reserved capacity offerings and current purchases using the AWS Management Console—but new purchases are denied. This policy provides the permissions necessary to complete this action using the AWS Console or AWS API/AWS CLI.

An IAM policy that grants users permissions to access the streams on a DynamoDB table, but not to the table itself. This policy provides the permissions necessary to complete this action using the AWS API or AWS CLI only.

A policy that allows restoring RDS databases. This policy also provides the permissions necessary to complete this action programmatically and in the console.

A policy that allows tag owners full access to RDS resources that they have tagged (Tag key: Owner, Tag Value: <IAM username>). This policy provides the permissions necessary to complete this action using the AWS API or AWS CLI only.

An IAM policy that allows users to only launch RDS instances of a specific instance type and database engine (Default: t2.micro and mysql).

An IAM policy that grants permissions to allow a user to only create a DB instance that must use specific DB parameter group and DB security group.

An IAM policy that prevents a user from deleting a specific DB instance.

An IAM policy that allows Read access to a specific CodeCommit repository. This policy also provides the permissions necessary to complete this action programmatically and in the console.

An IAM policy that allows a user to use Git to pull from, and push to, a specific AWS CodeCommit repository.

An IAM policy that denies a user the ability to change or push changes to a specific branch in a specific AWS CodeCommit repository.

An IAM policy that allows a user to create build projects using only the specified AWS CodeBuild service role.

An IAM policy that allows a user to delete build projects.

An IAM policy that allows a user to change information about build projects using only the specified AWS CodeBuild service role.

An IAM policy that grants permissions to approve or reject manual approval actions in a specific pipeline.

An IAM policy that grants permissions to disable and enable transitions between all stages in a specific pipeline.

An IAM policy that allows read-only on a specific Kinesis stream.

An IAM policy that allows pushing data to a specific Kinesis stream.

An IAM policy that provides end users the ability start a session to a particular instance and the ability to terminate only their own sessions.

An IAM policy that provides end users the ability start a session to instances based on the tags assigned and the ability to terminate only their own sessions.

An IAM policy that allows a user to fully interact with all instances and all sessions created by all users for all instances, as well as permissions to permission to create, update and delete preferences. It should be granted only to an Administrator who needs full control over your organization's Session Manager activities.

An IAM policy that allows IAM users to view the following Billing and Cost Management console pages, without giving them access to the Account Settings or Reports console pages. This policy also provides the permissions necessary to complete this action programmatically and in the console.

An IAM policy that allows IAM users to access the Reports console page and to view the usage reports that contain account activity information. This policy also provides the permissions necessary to complete this action in the console.

An IAM policy that denies IAM users deny an IAM user access to all Billing and Cost Management console pages.

An IAM policy that allows IAM users to view the following Billing and Cost Management console pages, without giving them access to the Account Settings or Reports console pages. This policy also provides the permissions necessary to complete this action programmatically and in the console.

An IAM policy that allows IAM users to modify the Consolidated Billing, Preferences, and Credits console pages. It also allows an IAM user to view the following Billing and Cost Management console pages: Dashboard, Cost Explorer, Bills, Payment History, Advance Payment.

An IAM policy that allows IAM users to modify the Budget console page. To allow IAM users to create budgets in the Billing and Cost Management console, you must also allow IAM users to view your billing information, create CloudWatch alarms, and create Amazon SNS notifications.

An IAM policy that allows IAM users to create, view, or delete an AWS Cost and Usage report using the API.

An IAM policy that allows IAM users read-only access to the AWS KMS console. That is, users can use the console to view all CMKs, but they cannot make changes to any CMKs or create new ones.

An IAM policy that allows IAM users to successfully request that AWS KMS encrypt and decrypt data with any CMK in the specified AWS account and region.

An IAM policy that allows IAM users to successfully request that AWS KMS encrypt and decrypt data with a specific CMK.

An IAM policy that prevents a user from disabling or deleting any CMKs, even when another IAM policy or a key policy allows these permissions.

An IAM policy that allows all CloudFormation APIs access, but denies UpdateStack and DeleteStack APIs access on a specific stack (e.g. a production stack). This policy also provides the permissions necessary to complete this action on the console.

An IAM policy that allows users to create new or update existing CloudFormation stacks, as long as the template URL used is allowed. This policy also provides the permissions necessary to complete this action on the console.

An IAM policy that prevents creating or updating CloudFormation stacks that contain specific resource types (This policy uses IAM resources as the default example). This policy also provides the permissions necessary to complete this action on the console.