docs.aws.amazon.com
Open in
urlscan Pro
108.138.36.93
Public Scan
Submitted URL: http://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_manage-attach-detach.html#remove-policies-console
Effective URL: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_manage-attach-detach.html
Submission: On May 30 via api from US — Scanned from DE
Effective URL: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_manage-attach-detach.html
Submission: On May 30 via api from US — Scanned from DE
Form analysis 0 forms found in the DOM
Text Content
SELECT YOUR COOKIE PREFERENCES
We use essential cookies and similar tools that are necessary to provide our
site and services. We use performance cookies to collect anonymous statistics so
we can understand how customers use our site and make improvements. Essential
cookies cannot be deactivated, but you can click “Customize cookies” to decline
performance cookies.
If you agree, AWS and approved third parties will also use cookies to provide
useful site features, remember your preferences, and display relevant content,
including relevant advertising. To continue without accepting these cookies,
click “Continue without accepting.” To make more detailed choices or learn more,
click “Customize cookies.”
Accept all cookiesContinue without acceptingCustomize cookies
CUSTOMIZE COOKIE PREFERENCES
We use cookies and similar tools (collectively, "cookies") for the following
purposes.
ESSENTIAL
Essential cookies are necessary to provide our site and services and cannot be
deactivated. They are usually set in response to your actions on the site, such
as setting your privacy preferences, signing in, or filling in forms.
PERFORMANCE
Performance cookies provide anonymous statistics about how customers navigate
our site so we can improve site experience and performance. Approved third
parties may perform analytics on our behalf, but they cannot use the data for
their own purposes.
Allow performance category
Allowed
FUNCTIONAL
Functional cookies help us provide useful site features, remember your
preferences, and display relevant content. Approved third parties may set these
cookies to provide certain site features. If you do not allow these cookies,
then some or all of these services may not function properly.
Allow functional category
Allowed
ADVERTISING
Advertising cookies may be set through our site by us or our advertising
partners and help us deliver relevant marketing content. If you do not allow
these cookies, you will experience less relevant advertising.
Allow advertising category
Allowed
Blocking some types of cookies may impact your experience of our sites. You may
review and change your choices at any time by clicking Cookie preferences in the
footer of this site. We and selected third-parties use cookies or similar
technologies as specified in the AWS Cookie Notice.
CancelSave preferences
UNABLE TO SAVE COOKIE PREFERENCES
We will only store essential cookies at this time, because we were unable to
save your cookie preferences.
If you want to change your cookie preferences, try again later using the link in
the AWS console footer, or contact support if the problem persists.
Dismiss
Contact Us
English
Create an AWS Account
1. AWS
2. ...
3. Documentation
4. AWS Identity and Access Management
5. User Guide
Feedback
Preferences
AWS IDENTITY AND ACCESS MANAGEMENT
USER GUIDE
* What is IAM?
* When do I use IAM
* How IAM works
* Users in AWS
* Permissions and policies in IAM
* What is ABAC?
* Security features outside IAM
* Quick links to common tasks
* IAM console search
* AWS CloudFormation resources
* Using AWS CloudShell
* Working with AWS SDKs
* Getting set up
* IAM management methods
* Your AWS account ID and its alias
* Getting started
* Security best practices and use cases
* Security best practices
* Root user best practices
* Business use cases
* Tutorials
* Grant access to the billing console
* Delegate access across AWS accounts using roles
* Create a customer managed policy
* Use attribute-based access control (ABAC)
* Use SAML session tags for ABAC
* Permit users to manage their credentials and MFA settings
* Identities
* AWS account root user
* Enable a virtual MFA device for your AWS account root user (console)
* Enable a hardware TOTP token for the AWS account root user (console)
* Enable a FIDO security key for the AWS account root user (console)
* Change the password
* Resetting a lost or forgotten root user password
* Creating access keys for the root user
* Deleting access keys for the root user
* Tasks that require root user
* Troubleshooting root user issues
* Related information
* Users
* Adding a user
* Controlling user access to the console
* How IAM users sign in to AWS
* Using MFA devices with your IAM sign-in page
* Managing users
* Changing permissions for a user
* Managing passwords
* Setting a password policy
* Managing user passwords
* Permitting IAM users to change their own passwords
* How an IAM user changes their own password
* Access keys
* Retrieving lost passwords or access keys
* Multi-factor authentication (MFA)
* Enabling MFA devices
* General steps for enabling MFA devices
* Enabling a virtual MFA device (console)
* Enabling a FIDO security key (console)
* Supported configurations for using FIDO security keys
* Enabling a hardware TOTP token (console)
* Enabling and managing virtual MFA devices (AWS CLI or AWS API)
* Checking MFA status
* Resynchronizing virtual and hardware MFA devices
* Deactivating MFA devices
* What if an MFA device is lost or stops working?
* Configuring MFA-protected API access
* Sample code: MFA
* Find unused credentials
* Getting credential reports
* Using IAM with CodeCommit
* Using IAM with Amazon Keyspaces
* Managing server certificates
* User groups
* Creating user groups
* Managing user groups
* Listing IAM user groups
* Adding and removing users in an IAM user group
* Attaching a policy to an IAM user group
* Renaming an IAM user group
* Deleting a user group
* Roles
* Terms and concepts
* Common scenarios
* Providing access across AWS accounts
* Providing access for non AWS workloads
* Providing access to third-party AWS accounts
* Using an external ID for third-party access
* Providing access to AWS services
* The confused deputy problem
* Providing access through identity federation
* Service-linked roles
* Creating roles
* Creating a role for an IAM user
* Creating a role for an AWS service
* Creating a role for identity federation
* Create a role for OIDC federation
* Create a role for SAML 2.0 federation
* Creating a role using custom trust policies
* Examples of policies for delegating access
* Using roles
* Granting a user permissions to switch roles
* Granting permissions to pass a role to a service
* Switching roles (console)
* Switching roles (AWS CLI)
* Switching roles (Tools for Windows PowerShell)
* Switching roles (AWS API)
* Using roles for applications on Amazon EC2
* Using instance profiles
* Revoking role temporary credentials
* Managing roles
* Modifying a role
* Modifying a role (console)
* Modifying a role (AWS CLI)
* Modifying a role (AWS API)
* Deleting roles or instance profiles
* Identity providers and federation
* Common scenarios
* Using Amazon Cognito for mobile apps
* Using OIDC federation API operations for mobile apps
* OIDC federation
* Create OIDC identity provider
* Obtain the thumbprint for an OIDC provider
* Identify users with OIDC federation
* Additional resources for OIDC federation
* SAML 2.0 federation
* Create SAML identity provider
* Configure relying party trust and claims
* Integrate third-party SAML solution providers with AWS
* Configure SAML assertions for the authentication response
* Enable SAML 2.0 federated users to access the AWS console
* Temporary security credentials
* Requesting temporary security credentials
* Using temporary credentials with AWS resources
* Controlling permissions for temporary security credentials
* Permissions for AssumeRole API operations
* Monitor and control actions taken with assumed roles
* Permissions for GetFederationToken
* Permissions for GetSessionToken
* Disabling permissions
* Granting permissions to create credentials
* Granting permissions to use identity-aware console sessions
* Managing AWS STS in an AWS Region
* Using bearer tokens
* Sample applications that use temporary credentials
* Enabling custom identity broker access to the AWS console
* Additional resources for temporary credentials
* Tagging IAM resources
* Tagging IAM users
* Tagging IAM roles
* Tagging customer managed policies
* Tagging IAM identity providers
* Tagging OpenID Connect (OIDC) identity providers
* Tagging IAM SAML identity providers
* Tagging instance profiles
* Tagging server certificates
* Tagging virtual MFA devices
* Session tags
* Log events with CloudTrail
* Access management
* Policies and permissions
* Managed policies and inline policies
* Choosing managed or inline
* Getting started with managed policies
* Converting inline policy to managed
* Deprecated AWS managed policies
* Data perimeters
* Permissions boundaries
* Identity vs resource
* Controlling access using policies
* Control access to IAM users and roles using tags
* Control access to AWS resources using tags
* Cross account resource access
* Forward access sessions
* Example policies
* AWS: Specific access during a date range
* AWS: Enable or disable AWS Regions
* AWS: Self-manage credentials with MFA (Security credentials)
* AWS: Specific access with MFA during a date range
* AWS: Self-manage credentials no MFA (Security credentials)
* AWS: Self-manage MFA device (Security credentials)
* AWS: Self-manage console password (Security credentials)
* AWS: Self-manage password, access keys, & SSH public keys (My
security credentials)
* AWS: Deny access based on requested Region
* AWS: Deny access based on source IP
* AWS: Deny access to Amazon S3 resources outside your account except
AWS Data Exchange
* Data Pipeline: Deny access to pipelines not created by user
* DynamoDB: Access specific table
* DynamoDB: Allow access to specific attributes
* DynamoDB: Allow item access based on a Amazon Cognito ID
* EC2: Attach or detach tagged EBS volumes
* EC2: Launch instances in a subnet (includes console)
* EC2: Manage security groups with the same tags (includes console)
* EC2: Start or stop instances a user has tagged (includes console)
* EC2: Start or stop instances based on tags
* EC2: Start or stop for matching tags
* EC2: Full access within a Region (includes console)
* EC2: Start or stop an instance, modify security group (includes
console)
* EC2: Requires MFA (GetSessionToken) for operations
* EC2: Limit terminating instances to IP range
* IAM: Access the policy simulator API
* IAM: Access the policy simulator console
* IAM: Assume tagged roles
* IAM: Allows and denies multiple services (includes console)
* IAM: Add specific tag to tagged user
* IAM: Add a specific tag
* IAM: Create only tagged users
* IAM: Generate credential reports
* IAM: Manage group membership (includes console)
* IAM: Manage a tag
* IAM: Pass a role to a service
* IAM: Read-only console access (no reporting)
* IAM: Read-only console access
* IAM: Specific users manage group (includes console)
* IAM: Setting account password requirements (includes console)
* IAM: Access the policy simulator API based on user path
* IAM: Access the policy simulator console based on user path
(includes console)
* IAM: MFA self-management
* IAM: Update credentials (includes console)
* IAM: View Organizations service last accessed information for a
policy
* IAM: Apply limited managed policies
* AWS: Deny access to resources outside your account except AWS
managed IAM policies
* Lambda: Service access to DynamoDB
* RDS: Full access within a Region
* RDS: Restore databases (includes console)
* RDS: Full access for tag owners
* S3: Access bucket if cognito
* S3: Access federated user home directory (includes console)
* S3: Full access with recent MFA
* S3: Access IAM user home directory (includes console)
* S3: Restrict management to a specific bucket
* S3: Read and write objects to a specific bucket
* S3: Read and write to a specific bucket (includes console)
* Managing IAM policies
* Creating IAM policies
* Creating IAM policies (console)
* Creating IAM policies (CLI)
* Creating IAM policies (API)
* Validating policies
* Generating policies
* Testing IAM policies
* Add or remove identity permissions
* Versioning IAM policies
* Editing IAM policies
* Deleting IAM policies
* Refining permissions using access information
* View IAM access information
* View access information for Organizations
* Example scenarios
* Action last accessed services and actions
* Understanding policies
* Policy summary (list of services)
* Access levels in policy summaries
* Service summary (list of actions)
* Action summary (list of resources)
* Example policy summaries
* Permissions required
* Example policies for IAM
* Code examples
* IAM
* Actions
* AddClientIdToOpenIdConnectProvider
* AddRoleToInstanceProfile
* AddUserToGroup
* AttachGroupPolicy
* AttachRolePolicy
* AttachUserPolicy
* ChangePassword
* CreateAccessKey
* CreateAccountAlias
* CreateGroup
* CreateInstanceProfile
* CreateLoginProfile
* CreateOpenIdConnectProvider
* CreatePolicy
* CreatePolicyVersion
* CreateRole
* CreateSAMLProvider
* CreateServiceLinkedRole
* CreateUser
* CreateVirtualMfaDevice
* DeactivateMfaDevice
* DeleteAccessKey
* DeleteAccountAlias
* DeleteAccountPasswordPolicy
* DeleteGroup
* DeleteGroupPolicy
* DeleteInstanceProfile
* DeleteLoginProfile
* DeleteOpenIdConnectProvider
* DeletePolicy
* DeletePolicyVersion
* DeleteRole
* DeleteRolePermissionsBoundary
* DeleteRolePolicy
* DeleteSAMLProvider
* DeleteServerCertificate
* DeleteServiceLinkedRole
* DeleteSigningCertificate
* DeleteUser
* DeleteUserPermissionsBoundary
* DeleteUserPolicy
* DeleteVirtualMfaDevice
* DetachGroupPolicy
* DetachRolePolicy
* DetachUserPolicy
* EnableMfaDevice
* GenerateCredentialReport
* GenerateServiceLastAccessedDetails
* GetAccessKeyLastUsed
* GetAccountAuthorizationDetails
* GetAccountPasswordPolicy
* GetAccountSummary
* GetContextKeysForCustomPolicy
* GetContextKeysForPrincipalPolicy
* GetCredentialReport
* GetGroup
* GetGroupPolicy
* GetInstanceProfile
* GetLoginProfile
* GetOpenIdConnectProvider
* GetPolicy
* GetPolicyVersion
* GetRole
* GetRolePolicy
* GetSamlProvider
* GetServerCertificate
* GetServiceLastAccessedDetails
* GetServiceLastAccessedDetailsWithEntities
* GetServiceLinkedRoleDeletionStatus
* GetUser
* GetUserPolicy
* ListAccessKeys
* ListAccountAliases
* ListAttachedGroupPolicies
* ListAttachedRolePolicies
* ListAttachedUserPolicies
* ListEntitiesForPolicy
* ListGroupPolicies
* ListGroups
* ListGroupsForUser
* ListInstanceProfiles
* ListInstanceProfilesForRole
* ListMfaDevices
* ListOpenIdConnectProviders
* ListPolicies
* ListPolicyVersions
* ListRolePolicies
* ListRoleTags
* ListRoles
* ListSAMLProviders
* ListServerCertificates
* ListSigningCertificates
* ListUserPolicies
* ListUserTags
* ListUsers
* ListVirtualMfaDevices
* PutGroupPolicy
* PutRolePermissionsBoundary
* PutRolePolicy
* PutUserPermissionsBoundary
* PutUserPolicy
* RemoveClientIdFromOpenIdConnectProvider
* RemoveRoleFromInstanceProfile
* RemoveUserFromGroup
* ResyncMfaDevice
* SetDefaultPolicyVersion
* TagRole
* TagUser
* UntagRole
* UntagUser
* UpdateAccessKey
* UpdateAccountPasswordPolicy
* UpdateAssumeRolePolicy
* UpdateGroup
* UpdateLoginProfile
* UpdateOpenIdConnectProviderThumbprint
* UpdateRole
* UpdateRoleDescription
* UpdateSamlProvider
* UpdateServerCertificate
* UpdateSigningCertificate
* UpdateUser
* UploadServerCertificate
* UploadSigningCertificate
* Scenarios
* Build and manage a resilient service
* Create a group and add a user
* Create a user and assume a role
* Create read-only and read-write users
* Manage access keys
* Manage policies
* Manage roles
* Manage your account
* Roll back a policy version
* Work with the IAM Policy Builder API
* AWS STS
* Actions
* AssumeRole
* AssumeRoleWithWebIdentity
* DecodeAuthorizationMessage
* GetFederationToken
* GetSessionToken
* Scenarios
* Assume an IAM role that requires an MFA token
* Construct a URL for federated users
* Get a session token that requires an MFA token
* Security
* AWS security credentials
* AWS security audit guidelines
* Data protection
* Logging and monitoring
* Compliance validation
* Resilience
* Infrastructure security
* Configuration and vulnerability analysis
* AWS managed policies
* IAM Access Analyzer
* Findings for external and unused access
* How IAM Access Analyzer findings work
* Getting started with IAM Access Analyzer findings
* Findings dashboard
* Working with findings
* Reviewing findings
* Filtering findings
* Archiving findings
* Resolving findings
* Supported resource types
* Settings
* Archive rules
* Monitoring with EventBridge
* Security Hub integration
* Logging with CloudTrail
* IAM Access Analyzer filter keys
* Using service-linked roles
* Preview access
* Previewing access in Amazon S3 console
* Previewing access with IAM Access Analyzer APIs
* Checks for validating policies
* IAM Access Analyzer policy validation
* Policy check reference
* Custom policy checks
* IAM Access Analyzer policy generation
* IAM Access Analyzer policy generation services
* IAM Access Analyzer quotas
* Troubleshooting IAM
* General issues
* Access denied error messages
* IAM policies
* FIDO security keys
* IAM roles
* IAM and Amazon EC2
* IAM and Amazon S3
* SAML 2.0 federation
* Viewing a SAML response in your browser
* Reference
* Amazon Resource Names (ARNs)
* IAM identifiers
* IAM and AWS STS quotas
* Interface VPC endpoints
* Services that work with IAM
* Signing AWS API requests
* Signature Version 4 request elements
* Authentication methods
* Create a signed request
* Request signature examples
* Troubleshoot
* Policy reference
* JSON element reference
* Version
* Id
* Statement
* Sid
* Effect
* Principal
* NotPrincipal
* Action
* NotAction
* Resource
* NotResource
* Condition
* Condition operators
* Conditions with multiple context keys or values
* Single-valued vs. multivalued context keys
* Condition policy examples
* Multivalued context key examples
* Single-valued context key policy examples
* Variables and tags
* Supported data types
* Policy evaluation logic
* Cross-account policy evaluation logic
* Policy grammar
* AWS managed policies for job functions
* Creating roles and attaching policies (console)
* Global condition keys
* IAM condition keys
* Actions, resources, and condition keys
* Resources
* Making HTTP query requests
* Document history
Adding and removing IAM identity permissions - AWS Identity and Access
Management
AWSDocumentationAWS Identity and Access ManagementUser Guide
TerminologyView identity activityAdding IAM identity permissions
(console)Removing IAM identity permissions (console)Adding IAM policies (AWS
CLI)Removing IAM policies (AWS CLI)Adding IAM policies (AWS API)Removing IAM
policies (AWS API)
ADDING AND REMOVING IAM IDENTITY PERMISSIONS
PDFRSS
You use policies to define the permissions for an identity (user, user group, or
role). You can add and remove permissions by attaching and detaching IAM
policies for an identity using the AWS Management Console, the AWS Command Line
Interface (AWS CLI), or the AWS API. You can also use policies to set
permissions boundaries for only entities (users or roles) that are using the
same methods. Permissions boundaries are an advanced AWS feature that control
the maximum permissions that an entity can have.
TOPICS
* Terminology
* View identity activity
* Adding IAM identity permissions (console)
* Removing IAM identity permissions (console)
* Adding IAM policies (AWS CLI)
* Removing IAM policies (AWS CLI)
* Adding IAM policies (AWS API)
* Removing IAM policies (AWS API)
TERMINOLOGY
When you associate permissions policies with identities (users, user groups, and
roles), terminology and procedures vary depending on whether you are working
with a managed or inline policy:
* Attach – Used with managed policies. You attach a managed policy to an
identity (a user, user group, or role). Attaching a policy applies the
permissions in the policy to the identity.
* Detach – Used with managed policies. You detach a managed policy from an IAM
identity (a user, user group, or role). Detaching a policy removes its
permissions from the identity.
* Embed – Used with inline policies. You embed an inline policy in an identity
(a user, user group, or role). Embedding a policy applies the permissions in
the policy to the identity. Because an inline policy is stored in the
identity, it is embedded rather than attached, though the results are
similar.
NOTE
You can embed an inline policy for a service-linked role only in the service
that depends on the role. See the AWS documentation for your service to see
whether it supports this feature.
* Delete – Used with inline policies. You delete an inline policy from an IAM
identity (a user, user group, or role). Deleting a policy removes its
permissions from the identity.
NOTE
You can delete an inline policy for a service-linked role only in the service
that depends on the role. See the AWS documentation for your service to see
whether it supports this feature.
You can use the console, AWS CLI, or AWS API to perform any of these actions.
MORE INFORMATION
* For more information about the difference between managed and inline
policies, see Managed policies and inline policies.
* For more information about permissions boundaries, see Permissions boundaries
for IAM entities.
* For general information about IAM policies, see Policies and permissions in
IAM.
* For information about validating IAM policies, see Validating IAM policies.
* The number and size of IAM resources in an AWS account are limited. For more
information, see IAM and AWS STS quotas.
VIEW IDENTITY ACTIVITY
Before you change the permissions for an identity (user, user group, or role),
you should review their recent service-level activity. This is important because
you don't want to remove access from a principal (person or application) who is
using it. For more information about viewing last accessed information, see
Refining permissions in AWS using last accessed information.
ADDING IAM IDENTITY PERMISSIONS (CONSOLE)
You can use the AWS Management Console to add permissions to an identity (user,
user group, or role). To do this, attach managed policies that control
permissions, or specify a policy that serves as a permissions boundary. You can
also embed an inline policy.
TO USE A MANAGED POLICY AS A PERMISSIONS POLICY FOR AN IDENTITY (CONSOLE)
1. Sign in to the AWS Management Console and open the IAM console at
https://console.aws.amazon.com/iam/.
2. In the navigation pane, choose Policies.
3. In the list of policies, select the radio button next to the name of the
policy to attach. You can use the search box to filter the list of policies.
4. Choose Actions, and then choose Attach.
5. Select one or more identities to attach the policy to. You can use the
search box to filter the list of principal entities. After selecting the
identities, choose Attach policy.
TO USE A MANAGED POLICY TO SET A PERMISSIONS BOUNDARY (CONSOLE)
1. Sign in to the AWS Management Console and open the IAM console at
https://console.aws.amazon.com/iam/.
2. In the navigation pane, choose Policies.
3. In the list of policies, choose the name of the policy to set. You can use
the search box to filter the list of policies.
4. On the policy details page, choose the Entities attached tab, and then, if
necessary, open the Attached as a permissions boundaries section and choose
Set this policy as a permissions boundary.
5. Select one or more users or roles on which to use the policy for a
permissions boundary. You can use the search box to filter the list of
principal entities. After selecting the principals, choose Set permissions
boundary.
TO EMBED AN INLINE POLICY FOR A USER OR ROLE (CONSOLE)
1. Sign in to the AWS Management Console and open the IAM console at
https://console.aws.amazon.com/iam/.
2. In the navigation pane, choose Users or Roles.
3. In the list, choose the name of the user or role to embed a policy in.
4. Choose the Permissions tab.
5. Choose Add permissions and then choose Create inline policy.
NOTE
You cannot embed an inline policy in a service-linked role in IAM. Because
the linked service defines whether you can modify the permissions of the
role, you might be able to add additional policies from the service console,
API, or AWS CLI. To view the service-linked role documentation for a
service, see AWS services that work with IAM and choose Yes in the
Service-Linked Role column for your service.
6. Choose from the following methods to view the steps required to create your
policy:
* Importing existing managed policies – You can import a managed policy
within your account and then edit the policy to customize it to your
specific requirements. A managed policy can be an AWS managed policy or a
customer managed policy that you created previously.
* Creating policies with the visual editor – You can construct a new policy
from scratch in the visual editor. If you use the visual editor, you do
not have to understand JSON syntax.
* Creating policies using the JSON editor – In the JSON editor option, you
can use JSON syntax to create a policy. You can type a new JSON policy
document or paste an example policy.
7. After you create an inline policy, it is automatically embedded in your user
or role.
TO EMBED AN INLINE POLICY FOR A USER GROUP (CONSOLE)
1. Sign in to the AWS Management Console and open the IAM console at
https://console.aws.amazon.com/iam/.
2. In the navigation pane, choose User groups.
3. In the list, choose the name of the user group to embed a policy in.
4. Choose the Permissions tab, choose Add permissions, and then choose Create
inline policy.
5. Do one of the following:
* Choose the Visual option to create the policy. For more information, see
Creating policies with the visual editor.
* Choose the JSON option to create the policy. For more information, see
Creating policies using the JSON editor.
6. When you are satisfied with the policy, choose Create policy.
TO CHANGE THE PERMISSIONS BOUNDARY FOR ONE OR MORE ENTITIES (CONSOLE)
1. Sign in to the AWS Management Console and open the IAM console at
https://console.aws.amazon.com/iam/.
2. In the navigation pane, choose Policies.
3. In the list of policies, choose the name of the policy to set. You can use
the search box to filter the list of policies.
4. On the policy details page, choose the Entities attached tab, and then, if
necessary, open the Attached as a permissions boundary section. Select the
check box next to the users or roles whose boundaries you want to change and
then choose Change.
5. Select a new policy to use for a permissions boundary. You can use the
search box to filter the list of policies. After selecting the policy,
choose Set permissions boundary.
REMOVING IAM IDENTITY PERMISSIONS (CONSOLE)
You can use the AWS Management Console to remove permissions from an identity
(user, user group, or role). To do this, detach managed policies that control
permissions, or remove a policy that serves as a permissions boundary. You can
also delete an inline policy.
TO DETACH A MANAGED POLICY USED AS A PERMISSIONS POLICY (CONSOLE)
1. Sign in to the AWS Management Console and open the IAM console at
https://console.aws.amazon.com/iam/.
2. In the navigation pane, choose Policies.
3. In the list of policies, select the radio button next to the name of the
policy to detach. You can use the search box to filter the list of policies.
4. Choose Actions, and then choose Detach.
5. Select the identities to detach the policy from. You can use the search box
to filter the list of identities. After selecting the identities, choose
Detach policy.
TO REMOVE A PERMISSIONS BOUNDARY (CONSOLE)
1. Sign in to the AWS Management Console and open the IAM console at
https://console.aws.amazon.com/iam/.
2. In the navigation pane, choose Policies.
3. In the list of policies, choose the name of the policy to set. You can use
the search box to filter the list of policies.
4. On the policy summary page, choose the Entities attached tab, and then, if
necessary, open the Attached as a permissions boundary section and choose
the entities to remove the permissions boundary from. Then choose Remove
boundary.
5. Confirm that you want to remove the boundary and choose Remove boundary.
TO DELETE AN INLINE POLICY (CONSOLE)
1. Sign in to the AWS Management Console and open the IAM console at
https://console.aws.amazon.com/iam/.
2. In the navigation pane, choose User groups, Users, or Roles.
3. In the list, choose the name of the user group, user, or role that has the
policy you want to remove.
4. Choose the Permissions tab.
5. Select the check box next to the policy and choose Remove.
6. Choose Remove in the confirmation box.
ADDING IAM POLICIES (AWS CLI)
You can use the AWS CLI to add permissions to an identity (user, user group, or
role). To do this, attach managed policies that control permissions, or specify
a policy that serves as a permissions boundary. You can also embed an inline
policy.
TO USE A MANAGED POLICY AS A PERMISSIONS POLICY FOR AN ENTITY (AWS CLI)
1. (Optional) To view information about a managed policy, run the following
commands:
* To list managed policies: aws iam list-policies
* To retrieve detailed information about a managed policy: get-policy
2. To attach a managed policy to an identity (user, user group, or role), use
one of the following commands:
* aws iam attach-user-policy
* aws iam attach-group-policy
* aws iam attach-role-policy
TO USE A MANAGED POLICY TO SET A PERMISSIONS BOUNDARY (AWS CLI)
1. (Optional) To view information about a managed policy, run the following
commands:
* To list managed policies: aws iam list-policies
* To retrieve detailed information about a managed policy: aws iam
get-policy
2. To use a managed policy to set the permissions boundary for an entity (user
or role), use one of the following commands:
* aws iam put-user-permissions-boundary
* aws iam put-role-permissions-boundary
TO EMBED AN INLINE POLICY (AWS CLI)
To embed an inline policy to an identity (user, user group, or role that is not
a service-linked role), use one of the following commands:
* aws iam put-user-policy
* aws iam put-group-policy
* aws iam put-role-policy
REMOVING IAM POLICIES (AWS CLI)
You can use the AWS CLI to detach managed policies that control permissions, or
remove a policy that serves as a permissions boundary. You can also delete an
inline policy.
TO DETACH A MANAGED POLICY USED AS A PERMISSIONS POLICY (AWS CLI)
1. (Optional) To view information about a policy, run the following commands:
* To list managed policies: aws iam list-policies
* To retrieve detailed information about a managed policy: aws iam
get-policy
2. (Optional) To find out about the relationships between the policies and
identities, run the following commands:
* To list the identities (users, user groups, and roles) to which a managed
policy is attached:
* aws iam list-entities-for-policy
* To list the managed policies attached to an identity (a user, user group,
or role), use one of the following commands:
* aws iam list-attached-user-policies
* aws iam list-attached-group-policies
* aws iam list-attached-role-policies
3. To detach a managed policy from an identity (user, user group, or role), use
one of the following commands:
* aws iam detach-user-policy
* aws iam detach-group-policy
* aws iam detach-role-policy
TO REMOVE A PERMISSIONS BOUNDARY (AWS CLI)
1. (Optional) To view which managed policy is currently used to set the
permissions boundary for a user or role, run the following commands:
* aws iam get-user
* aws iam get-role
2. (Optional) To view the users or roles on which a managed policy is used for
a permissions boundary, run the following command:
* aws iam list-entities-for-policy
3. (Optional) To view information about a managed policy, run the following
commands:
* To list managed policies: aws iam list-policies
* To retrieve detailed information about a managed policy: aws iam
get-policy
4. To remove a permissions boundary from a user or role, use one of the
following commands:
* aws iam delete-user-permissions-boundary
* aws iam delete-role-permissions-boundary
TO DELETE AN INLINE POLICY (AWS CLI)
1. (Optional) To list all inline policies that are attached to an identity
(user, user group, role), use one of the following commands:
* aws iam list-user-policies
* aws iam list-group-policies
* aws iam list-role-policies
2. (Optional) To retrieve an inline policy document that is embedded in an
identity (user, user group, or role), use one of the following commands:
* aws iam get-user-policy
* aws iam get-group-policy
* aws iam get-role-policy
3. To delete an inline policy from an identity (user, user group, or role that
is not a service-linked role), use one of the following commands:
* aws iam delete-user-policy
* aws iam delete-group-policy
* aws iam delete-role-policy
ADDING IAM POLICIES (AWS API)
You can use the AWS API to attach managed policies that control permissions or
specify a policy that serves as a permissions boundary. You can also embed an
inline policy.
TO USE A MANAGED POLICY AS A PERMISSIONS POLICY FOR AN ENTITY (AWS API)
1. (Optional) To view information about a policy, call the following
operations:
* To list managed policies: ListPolicies
* To retrieve detailed information about a managed policy: GetPolicy
2. To attach a managed policy to an identity (user, user group, or role), call
one of the following operations:
* AttachUserPolicy
* AttachGroupPolicy
* AttachRolePolicy
TO USE A MANAGED POLICY TO SET A PERMISSIONS BOUNDARY (AWS API)
1. (Optional) To view information about a managed policy, call the following
operations:
* To list managed policies: ListPolicies
* To retrieve detailed information about a managed policy: GetPolicy
2. To use a managed policy to set the permissions boundary for an entity (user
or role), call one of the following operations:
* PutUserPermissionsBoundary
* PutRolePermissionsBoundary
TO EMBED AN INLINE POLICY (AWS API)
To embed an inline policy in an identity (user, user group, or role that is not
a service-linked role), call one of the following operations:
* PutUserPolicy
* PutGroupPolicy
* PutRolePolicy
REMOVING IAM POLICIES (AWS API)
You can use the AWS API to detach managed policies that control permissions or
remove a policy that serves as a permissions boundary. You can also delete an
inline policy.
TO DETACH A MANAGED POLICY USED AS A PERMISSIONS POLICY (AWS API)
1. (Optional) To view information about a policy, call the following
operations:
* To list managed policies: ListPolicies
* To retrieve detailed information about a managed policy: GetPolicy
2. (Optional) To find out about the relationships between the policies and
identities, call the following operations:
* To list the identities (users, user groups, and roles) to which a managed
policy is attached:
* ListEntitiesForPolicy
* To list the managed policies attached to an identity (a user, user group,
or role), call one of the following operations:
* ListAttachedUserPolicies
* ListAttachedGroupPolicies
* ListAttachedRolePolicies
3. To detach a managed policy from an identity (user, user group, or role),
call one of the following operations:
* DetachUserPolicy
* DetachGroupPolicy
* DetachRolePolicy
TO REMOVE A PERMISSIONS BOUNDARY (AWS API)
1. (Optional) To view which managed policy is currently used to set the
permissions boundary for a user or role, call the following operations:
* GetUser
* GetRole
2. (Optional) To view the users or roles on which a managed policy is used for
a permissions boundary, call the following operation:
* ListEntitiesForPolicy
3. (Optional) To view information about a managed policy, call the following
operations:
* To list managed policies: ListPolicies
* To retrieve detailed information about a managed policy: GetPolicy
4. To remove a permissions boundary from a user or role, call one of the
following operations:
* DeleteUserPermissionsBoundary
* DeleteRolePermissionsBoundary
TO DELETE AN INLINE POLICY (AWS API)
1. (Optional) To list all inline policies that are attached to an identity
(user, user group, role), call one of the following operations:
* ListUserPolicies
* ListGroupPolicies
* ListRolePolicies
2. (Optional) To retrieve an inline policy document that is embedded in an
identity (user, user group, or role), call one of the following operations:
* GetUserPolicy
* GetGroupPolicy
* GetRolePolicy
3. To delete an inline policy from an identity (user, user group, or role that
is not a service-linked role), call one of the following operations:
* DeleteUserPolicy
* DeleteGroupPolicy
* DeleteRolePolicy
Javascript is disabled or is unavailable in your browser.
To use the Amazon Web Services Documentation, Javascript must be enabled. Please
refer to your browser's Help pages for instructions.
Document Conventions
Testing IAM policies
Versioning IAM policies
Did this page help you? - Yes
Thanks for letting us know we're doing a good job!
If you've got a moment, please tell us what we did right so we can do more of
it.
Did this page help you? - No
Thanks for letting us know this page needs work. We're sorry we let you down.
If you've got a moment, please tell us how we can make the documentation better.
DID THIS PAGE HELP YOU?
Yes
No
Provide feedback
NEXT TOPIC:
Versioning IAM policies
PREVIOUS TOPIC:
Testing IAM policies
NEED HELP?
* Try AWS re:Post
* Connect with an AWS IQ expert
PrivacySite termsCookie preferences
© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved.
ON THIS PAGE
* Terminology
* View identity activity
* Adding IAM identity permissions (console)
* Removing IAM identity permissions (console)
* Adding IAM policies (AWS CLI)
* Removing IAM policies (AWS CLI)
* Adding IAM policies (AWS API)
* Removing IAM policies (AWS API)