0
0
AwsHow-ToBeginner · 3 min read

How to Create Custom IAM Policy in AWS: Simple Guide

To create a custom IAM policy in AWS, write a JSON document defining permissions with Version, Statement, Effect, Action, and Resource. Then attach this policy to users, groups, or roles to control access.
📐

Syntax

An IAM policy is a JSON document with these main parts:

  • Version: The policy language version, usually "2012-10-17".
  • Statement: One or more permission statements.
  • Effect: Either "Allow" or "Deny" to permit or block actions.
  • Action: The AWS service actions the policy controls, like "s3:ListBucket".
  • Resource: The AWS resources the actions apply to, specified by ARN.
json
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "service:action",
      "Resource": "arn:aws:service:region:account-id:resource"
    }
  ]
}
💻

Example

This example policy allows listing all S3 buckets and reading objects from a specific bucket.

json
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": ["s3:ListAllMyBuckets"],
      "Resource": "*"
    },
    {
      "Effect": "Allow",
      "Action": ["s3:GetObject"],
      "Resource": "arn:aws:s3:::example-bucket/*"
    }
  ]
}
Output
Policy created successfully and can be attached to users, groups, or roles.
⚠️

Common Pitfalls

Common mistakes when creating IAM policies include:

  • Using Action names incorrectly or with typos.
  • Setting Resource too broadly or too narrowly, causing unintended access or denial.
  • Forgetting to include Version or using an outdated version.
  • Not testing the policy before applying it, which can lock out users.

Always validate your JSON and test policies with the AWS Policy Simulator.

json
// Wrong: This allows listing all buckets but does not specify bucket objects for read access.
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "s3:ListBucket",
      "Resource": "*"
    }
  ]
}

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": ["s3:ListAllMyBuckets", "s3:GetObject"],
      "Resource": ["*", "arn:aws:s3:::example-bucket/*"]
    }
  ]
}

// Right: Separate statements clarify permissions and resources.
📊

Quick Reference

Remember these tips when creating custom IAM policies:

  • Always specify the Version as "2012-10-17".
  • Use precise Action names from AWS documentation.
  • Define Resource ARNs carefully to limit access.
  • Use multiple statements for different permissions.
  • Test policies with AWS Policy Simulator before applying.

Key Takeaways

A custom IAM policy is a JSON document defining permissions with Version, Statement, Effect, Action, and Resource.
Use precise AWS action names and resource ARNs to control access accurately.
Separate permissions into multiple statements for clarity and security.
Always validate and test policies with AWS Policy Simulator before applying.
Attach custom policies to users, groups, or roles to enforce permissions.

Related by keyword

How to Set Bucket Policy in AWS S3: Simple GuideS3How to Set Scaling Policy in AWS: Step-by-Step GuideEC2How to Choose AWS Region: Simple Guide for BeginnersGetting StartedHow to Use Elastic IP in AWS: Simple GuideEC2ACL vs Bucket Policy in S3: Key Differences and Usage GuideS3

Up next

AWS Shared Responsibility Model: What It Is and How It WorksWhat is AWS Used For: Key Uses and ExamplesALB vs NLB vs CLB: Key Differences and When to Use EachEBS vs Instance Store in AWS: Key Differences and Usage Guide

More in IAM

How to Attach a Policy to an AWS Role: Simple StepsHow to Attach a Policy to a User in AWS IAMHow to Create IAM Group in AWS: Step-by-Step GuideHow to Create IAM Policy in AWS: Step-by-Step Guide