Manage Permissions

IAM Home

Product Details

Getting Started

Resources & Tools

FAQs

Partners

Permissions let you specify access to AWS resources. Permissions are granted to IAM entities (users, groups, and roles) and by default these entities start with no permissions. In other words, IAM entities can do nothing in AWS until you grant them your desired permissions. To give entities permissions, you can attach a policy that specifies the type of access, the actions that can be performed, and the resources on which the actions can be performed. In addition, you can specify any conditions that must be set for access to be allowed or denied.

How to Become an IAM Policy Ninja in 60 Minutes or Less
53:32
How to Become an IAM Policy Ninja in 60 Minutes or Less

Latest Blog Posts About Permissions

Adhere to IAM Best Practices in 2016

How to Create a Limited IAM Administrator by Using Managed Policies

An Easier Way to Manage Your Policies

Make a New Year’s Resolution: Adhere to IAM Best Practices

Enable a New Feature in the AWS Management Console: Cross-Account Access

Get Started with AWS for Free

Create a Free Account
Or Sign In to the Console

AWS Free Tier includes 750hrs of Micro Cache Node with Amazon ElastiCache.

View AWS Free Tier Details »

Follow @AWSIdentity on Twitter

 

To assign permissions to a user, group, role, or resource, you create a policy that lets you specify:

  • Actions – Which AWS actions you allow. For example, you might allow a user to call the Amazon S3 ListBucket action. Any actions that you don't explicitly allow are denied.
  • Resources – Which AWS resources you allow the action on. For example, what Amazon S3 buckets will you allow the user to perform the ListBucket action on? Users cannot access any resources that you do not explicitly grant permissions to.
  • Effect – Whether to allow or deny access. Because access is denied by default, you typically write policies where the effect is to allow.
  • Conditions – Which conditions must be present for the policy to take effect. For example, you might allow access only to the specific S3 buckets if the user is connecting from a specific IP range or has used multi-factor authentication at login.

Policies are created using JSON. A policy consists of one or more statements, each of which describes one set of permissions. To learn more about the policy language, see AWS IAM Policy Reference. Here's an example of a simple policy:

{
  "Version":"2012-10-17",
  "Statement":[{
      "Effect":"Allow",
      "Action":"s3:ListBucket",
      "Resource":"arn:aws:s3:::example_bucket"
    }]
}

If you use the AWS Management Console to manage permissions, you can select a predefined policy managed by AWS or create your own using the policy generator. For more information, see the Overview of IAM Policies section of the Using IAM guide.