IAM Policies

A list of IAM policies that can help you define permissions for your IAM identities. All policies can be customized and combined to create templates that can be deployed using CloudFormation or AWS CLI..

55/55
FILTERS
 
EC2
Allows Starting or Stopping an EC2 Instance and Modifying a Security Group
IAM Policy
A policy that allows starting or stopping a specific EC2 instance and modifying a specific security group (Programmatically and in the Console).
Console Access
API and CLI Access
Allows Launching EC2 Instances in a Specific Subnet, Programmatically and in the Console
IAM Policy
A policy that allows listing information for all EC2 objects and launching EC2 instances in a specific subnet. This policy also provides the permissions necessary to complete this action on the console.
Console Access
API and CLI Access
Allows Managing EC2 Security Groups Associated With a Specific VPC, Programmatically and in the Console
IAM Policy
A policy that allows managing Amazon EC2 security groups associated with a specific virtual private cloud (VPC). This policy also provides the permissions necessary to complete this action on the console.
Console Access
API and CLI Access
Allows Full EC2 Access Within a Specific Region, Programmatically and in the Console
IAM Policy
A policy hat allows full EC2 access within a specific region. This policy also provides the permissions necessary to complete this action on the console.
Console Access
API and CLI Access
Allow Users to Launch Approved Images and Use Existing Security Groups Only, Programmatically and in the Console.
IAM Policy
An IAM policy that prevents users from creating their own security groups, and allows users to only launch approved AMIs (Amazon Machine Images). Approved images are identified with Tags (Example, Tag Key: Approved, Tag Value: True). This policy provides the permissions necessary to complete this action programmatically or from the console.
Console Access
API and CLI Access
Tags
Allow Starting or Stopping EC2 Instances Based on a User's Username, Programmatically and in the Console.
IAM Policy
An IAM policy that allows an IAM user to start or stop EC2 instances, but only if the instance tag Owner has the value of that user's user name. This policy also provides the permissions necessary to complete this action on the console.
Console Access
API and CLI Access
Tags
Limit Terminating EC2 Instances to an IP Address Range
IAM Policy
An IAM policy that prevents users from terminating EC2 instances when the request does not come from a specified IP range. This policy provides the permissions necessary to complete this action using the AWS API or AWS CLI only
Console Access
API and CLI Access
S3
Allows IAM Users Access to Their S3 Home Directory
IAM Policy
A policy that allows IAM users to access their own home directory in S3. The home directory is a bucket that includes a home folder and folders for individual users (Programmatically and in the Console).
API and CLI Access
Console Access
Limits Managing to a Specific S3 Bucket and Denies All Other Actions
IAM Policy
A policy that limits managing an S3 bucket by allowing all S3 actions on the specific bucket, but explicitly denying access to every AWS service except Amazon S3. This policy also denies access to actions that can't be performed on an S3 bucket, such as s3:ListAllMyBuckets or s3:GetObject. This policy provides the permissions necessary to complete this action using the AWS API or AWS CLI only.
API and CLI Access
Allows Read and Write Access to a Specific S3 Bucket
IAM Policy
A policy that allows Read and Write access to a specific S3 bucket. This policy provides the permissions necessary to complete this action using the AWS API or AWS CLI only.
API and CLI Access
Allows Read and Write Access to a Specific S3 Bucket, Programmatically and in the Console.
IAM Policy
A policy that allows Read and Write access to a specific S3 bucket. This policy also provides the permissions necessary to complete this action on the console.
API and CLI Access
Console Access
Allow users to read objects in a portion of the S3 bucket.
IAM Policy
A policy that allows Read access to a specific folder within an S3 bucket. This policy provides the permissions necessary to complete this action using the AWS API or AWS CLI only.
API and CLI Access
Allow users to only drop files to a specific folder within an S3 bucket.
IAM Policy
A policy that allows write access to a specific folder within an S3 bucket. This policy provides the permissions necessary to complete this action using the AWS API or AWS CLI only.
API and CLI Access
IAM
Allows IAM Users to Self-Manage an MFA Device
IAM Policy
A policy that allows IAM users to self-manage an MFA device. This policy provides the permissions necessary to complete this action using the AWS API or AWS CLI only.
API and CLI Access
Allows IAM Users to Rotate Their Own Credentials
IAM Policy
A policy that allows IAM users to rotate their own access keys, signing certificates, service specific credentials, and passwords. This policy also provides the permissions necessary to complete this action programmatically and on the console.
API and CLI Access
Console Access
Access the Policy Simulator API
IAM Policy
A policy that allows using the policy simulator API for policies attached to a user, group, or role in the current AWS account. This policy also allows access to simulate less sensitive policies passed to the API as strings. This policy provides the permissions necessary to complete this action using the AWS API or AWS CLI only.
API and CLI Access
Access the Policy Simulator Console
IAM Policy
A policy that allows using the policy simulator console for policies attached to a user, group, or role in the current AWS account.
Console Access
DynamoDB
Allows Access to a Specific DynamoDB Table
IAM Policy
A policy that allows full access to a DynamoDB table with the specified name. This policy provides the permissions necessary to complete this action using the AWS API or AWS CLI only.
API and CLI Access
Allows Access to Specific Columns in a DynamoDB table
IAM Policy
A policy that allows access to the specific DynamoDB columns. This policy provides the permissions necessary to complete this action using the AWS API or AWS CLI only.
API and CLI Access
Allow Read-only Access on Items in a Table
IAM Policy
An IAM policy that grants permissions for the GetItem and BatchGetItem DynamoDB actions only and thereby sets read-only access to a table. This policy provides the permissions necessary to complete this action using the AWS API or AWS CLI only.
API and CLI Access
Allow Access to a Specific Table and All of Its Indexes
IAM Policy
An IAM policy that grants permissions policy grants permissions for all of the DynamoDB actions on a specific table and all of the table's indexes. This policy provides the permissions necessary to complete this action using the AWS API or AWS CLI only.
API and CLI Access
Prevent a User from Purchasing Reserved Capacity Offerings
IAM Policy
An IAM policy that allows users to view reserved capacity offerings and current purchases using the AWS Management Console—but new purchases are denied. This policy provides the permissions necessary to complete this action using the AWS Console or AWS API/AWS CLI.
API and CLI Access
Console Access
Allow Read Access for a DynamoDB Stream Only (Not for the Table)
IAM Policy
An IAM policy that grants users permissions to access the streams on a DynamoDB table, but not to the table itself. This policy provides the permissions necessary to complete this action using the AWS API or AWS CLI only.
API and CLI Access
RDS
Allows Restoring RDS Databases
IAM Policy
A policy that allows restoring RDS databases. This policy also provides the permissions necessary to complete this action programmatically and in the console.
API and CLI Access
Console Access
Allows Tag Owners Full Access to RDS Resources That They Have Tagged
IAM Policy
A policy that allows tag owners full access to RDS resources that they have tagged (Tag key: Owner, Tag Value: <IAM username>). This policy provides the permissions necessary to complete this action using the AWS API or AWS CLI only.
API and CLI Access
Tags
Allows Creation of RDS Instances of Specific Instance Type and Database Engine
IAM Policy
An IAM policy that allows users to only launch RDS instances of a specific instance type and database engine (Default: t2.micro and mysql).
API and CLI Access
Allow a User to Create a DB Instance That Uses the Specified DB Parameter and Security Groups
IAM Policy
An IAM policy that grants permissions to allow a user to only create a DB instance that must use specific DB parameter group and DB security group.
API and CLI Access
Prevent a User from Deleting a DB Instance
IAM Policy
An IAM policy that prevents a user from deleting a specific DB instance.
API and CLI Access
Console Access
CodeCommit
Allow Read Access to an AWS CodeCommit Repository
IAM Policy
An IAM policy that allows Read access to a specific CodeCommit repository. This policy also provides the permissions necessary to complete this action programmatically and in the console.
API and CLI Access
AWS CodeCommit: Allow a User to Use Git for a Single Repository
IAM Policy
An IAM policy that allows a user to use Git to pull from, and push to, a specific AWS CodeCommit repository.
AWS CodeCommit: Deny Write Access to Specific Branches in a Repository
IAM Policy
An IAM policy that denies a user the ability to change or push changes to a specific branch in a specific AWS CodeCommit repository.
API and CLI Access
CodeBuild
AWS CodeBuild: Allow a User to Create Build Projects
IAM Policy
An IAM policy that allows a user to create build projects using only the specified AWS CodeBuild service role.
API and CLI Access
AWS CodeBuild: Allow a User to Delete Build Projects
IAM Policy
An IAM policy that allows a user to delete build projects.
API and CLI Access
AWS CodeBuild: Allow a User to Change Information About Build Projects
IAM Policy
An IAM policy that allows a user to change information about build projects using only the specified AWS CodeBuild service role.
API and CLI Access
CodePipeline
AWS CodePipeline: Grant Permissions to Approve or Reject Manual Approval Actions
IAM Policy
An IAM policy that grants permissions to approve or reject manual approval actions in a specific pipeline.
API and CLI Access
AWS CodePipeline: Grant Permissions to Enable and Disable Transitions Between Stages
IAM Policy
An IAM policy that grants permissions to disable and enable transitions between all stages in a specific pipeline.
API and CLI Access
Kinesis
Allow users to get data from a Kinesis stream
IAM Policy
An IAM policy that allows read-only on a specific Kinesis stream.
API and CLI Access
Allow users to add data to a Kinesis stream
IAM Policy
An IAM policy that allows pushing data to a specific Kinesis stream.
API and CLI Access
Systems Manager
Allow users to use Session Manager based on Instance IDs
IAM Policy
An IAM policy that provides end users the ability start a session to a particular instance and the ability to terminate only their own sessions.
Console Access
API and CLI Access
Systems Manager
Allow users to use Session Manager based on Instance Tags
IAM Policy
An IAM policy that provides end users the ability start a session to instances based on the tags assigned and the ability to terminate only their own sessions.
Console Access
API and CLI Access
Systems Manager
Tags
Full Administrator Policy for Session Manager
IAM Policy
An IAM policy that allows a user to fully interact with all instances and all sessions created by all users for all instances, as well as permissions to permission to create, update and delete preferences. It should be granted only to an Administrator who needs full control over your organization's Session Manager activities.
Console Access
API and CLI Access
Systems Manager
Billing
Allow IAM users to view your billing information
IAM Policy
An IAM policy that allows IAM users to view the following Billing and Cost Management console pages, without giving them access to the Account Settings or Reports console pages. This policy also provides the permissions necessary to complete this action programmatically and in the console.
Console Access
API and CLI Access
Allow IAM users to access the Reports console page
IAM Policy
An IAM policy that allows IAM users to access the Reports console page and to view the usage reports that contain account activity information. This policy also provides the permissions necessary to complete this action in the console.
Console Access
Deny IAM users access to the Billing and Cost Management console
IAM Policy
An IAM policy that denies IAM users deny an IAM user access to all Billing and Cost Management console pages.
Console Access
Allow IAM users to view the Billing and Cost Management console, except Account Settings
IAM Policy
An IAM policy that allows IAM users to view the following Billing and Cost Management console pages, without giving them access to the Account Settings or Reports console pages. This policy also provides the permissions necessary to complete this action programmatically and in the console.
Console Access
Allow IAM users to modify billing information
IAM Policy
An IAM policy that allows IAM users to modify the Consolidated Billing, Preferences, and Credits console pages. It also allows an IAM user to view the following Billing and Cost Management console pages: Dashboard, Cost Explorer, Bills, Payment History, Advance Payment.
Console Access
Allow IAM users to create budgets
IAM Policy
An IAM policy that allows IAM users to modify the Budget console page. To allow IAM users to create budgets in the Billing and Cost Management console, you must also allow IAM users to view your billing information, create CloudWatch alarms, and create Amazon SNS notifications.
Console Access
Allow IAM users to create, view, or delete an AWS Cost and Usage report
IAM Policy
An IAM policy that allows IAM users to create, view, or delete an AWS Cost and Usage report using the API.
Console Access
KMS
Allow a User Read-Only Access to All CMKs through the AWS KMS Console
IAM Policy
An IAM policy that allows IAM users read-only access to the AWS KMS console. That is, users can use the console to view all CMKs, but they cannot make changes to any CMKs or create new ones.
API and CLI Access
Console Access
encryption
Allow a User to Encrypt and Decrypt with Any CMK in a Specific AWS Account and Region
IAM Policy
An IAM policy that allows IAM users to successfully request that AWS KMS encrypt and decrypt data with any CMK in the specified AWS account and region.
API and CLI Access
encryption
Allow a User to Encrypt and Decrypt with Specific CMKs
IAM Policy
An IAM policy that allows IAM users to successfully request that AWS KMS encrypt and decrypt data with a specific CMK.
API and CLI Access
encryption
Prevent a User from Disabling or Deleting Any CMKs
IAM Policy
An IAM policy that prevents a user from disabling or deleting any CMKs, even when another IAM policy or a key policy allows these permissions.
API and CLI Access
encryption
Console Access
CloudFormation
Prevent Users from Updating or Deleting Specific CloudFormation Stacks
IAM Policy
An IAM policy that allows all CloudFormation APIs access, but denies UpdateStack and DeleteStack APIs access on a specific stack (e.g. a production stack). This policy also provides the permissions necessary to complete this action on the console.
API and CLI Access
encryption
Console Access
Allow Users to Create or Update CloudFormation Stacks Using Specific Templates Only
IAM Policy
An IAM policy that allows users to create new or update existing CloudFormation stacks, as long as the template URL used is allowed. This policy also provides the permissions necessary to complete this action on the console.
API and CLI Access
encryption
Console Access
Prevent Creating or Updating CloudFormation Stacks that Contain Specific AWS Resource Types
IAM Policy
An IAM policy that prevents creating or updating CloudFormation stacks that contain specific resource types (This policy uses IAM resources as the default example). This policy also provides the permissions necessary to complete this action on the console.
API and CLI Access
encryption
Console Access