Prerequisites Editing customer managed policies (AWS CLI)Setting the default version of a customer managed policy (AWS CLI)Deleting a version of a customer managed policy (AWS CLI)Editing inline policies (AWS CLI)

Edit IAM policies (AWS CLI)

A policy is an entity that, when attached to an identity or resource, defines their permissions. You can use the AWS Command Line Interface (AWS CLI) to edit customer managed policies and inline policies in IAM. AWS managed policies cannot be edited. The number and size of IAM resources in an AWS account are limited. For more information, see IAM and AWS STS quotas.

For more information about policy structure and syntax, see Policies and permissions in AWS Identity and Access Management and the IAM JSON policy element reference.

Prerequisites

Before you change the permissions for a policy, you should review its recent service-level activity. This is important because you don't want to remove access from a principal (person or application) who is using it. For more information about viewing last accessed information, see Refine permissions in AWS using last accessed information.

Editing customer managed policies (AWS CLI)

You can edit a customer managed policy from the AWS CLI.

Note

A managed policy can have up to five versions. If you need to make changes to a customer managed policy beyond five versions, you must first delete one or more existing versions.

To edit a customer managed policy (AWS CLI)

(Optional) To view information about a policy, run the following commands:
- To list managed policies: list-policies
- To retrieve detailed information about a managed policy: get-policy
(Optional) To find out about the relationships between the policies and identities, run the following commands:
- To list the identities (IAM users, IAM groups, and IAM roles) to which a managed policy is attached:
  - list-entities-for-policy
- To list the managed policies attached to an identity (a user, user group, or role):
To edit a customer managed policy, run the following command:
- create-policy-version
(Optional) To validate a customer managed policy, run the following IAM Access Analyzer command:
- validate-policy

Setting the default version of a customer managed policy (AWS CLI)

You can set a default version of a customer managed policy from the AWS CLI.

To set the default version of a customer managed policy (AWS CLI)

(Optional) To list managed policies, run the following command:
- list-policies
To set the default version of a customer managed policy, run the following command:
- set-default-policy-version

Deleting a version of a customer managed policy (AWS CLI)

You can delete a version of a customer managed policy from the AWS CLI.

To delete a version of a customer managed policy (AWS CLI)

(Optional) To list managed policies, run the following command:
- list-policies
To delete a customer managed policy, run the following command:
- delete-policy-version

Editing inline policies (AWS CLI)

You can edit an inline policy from the AWS CLI.

To edit an inline policy (AWS CLI)

(Optional) To view information about a policy, run the following commands:
- To list inline policies associated to an identity (a user, user group, or role):
- To retrieve detailed information about a inline policy:
To edit an inline policy, run the following command:
(Optional) To validate an inline policy, run the following IAM Access Analyzer command:
- validate-policy

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Edit IAM policies (console)

Edit IAM policies (API)