Select your cookie preferences

We use essential cookies and similar tools that are necessary to provide our site and services. We use performance cookies to collect anonymous statistics, so we can understand how customers use our site and make improvements. Essential cookies cannot be deactivated, but you can choose “Customize” or “Decline” to decline performance cookies.

If you agree, AWS and approved third parties will also use cookies to provide useful site features, remember your preferences, and display relevant content, including relevant advertising. To accept or decline all non-essential cookies, choose “Accept” or “Decline.” To make more detailed choices, choose “Customize.”

Define custom IAM permissions with customer managed policies

Focus mode
Define custom IAM permissions with customer managed policies - AWS Identity and Access Management

Policies define permissions for identities or resources in AWS. You can create customer managed policies in IAM using the AWS Management Console, AWS CLI, or AWS API. Customer managed policies are standalone policies that you manage in your own AWS account. You can then attach the policies to identities (users, groups, and roles) in your AWS account.

An identity-based policy is a policy attached to an identity in IAM. Identity-based policies can include AWS managed policies, customer managed policies, and inline policies. AWS managed policies are created and managed by AWS, and you can use them but not manage them. An inline policy is one that you create and embed directly to an IAM user group, user, or role. Inline policies can't be reused on other identities or managed outside of the identity where they exist. For more information, see Adding and removing IAM identity permissions.

It's generally better to use customer managed policies instead of inline policies or AWS managed policies. AWS managed policies usually provide broad administrative or read-only permissions. For the greatest security, grant the least privilege, which means granting only the permissions required to perform specific job tasks.

When you create or edit IAM policies, AWS can automatically perform policy validation to help you create an effective policy with least privilege in mind. In the AWS Management Console, IAM identifies JSON syntax errors, while IAM Access Analyzer provides additional policy checks with recommendations to help you further refine your policies. To learn more about policy validation, see IAM policy validation. To learn more about IAM Access Analyzer policy checks and actionable recommendations, see IAM Access Analyzer policy validation.

You can use the AWS Management Console, AWS CLI, or AWS API to create customer managed policies in IAM. For more information about using AWS CloudFormation templates to add or update policies, see AWS Identity and Access Management resource type reference in the AWS CloudFormation User Guide.

PrivacySite termsCookie preferences
© 2025, Amazon Web Services, Inc. or its affiliates. All rights reserved.