AWS::IAM::Policy - AWS CloudFormation
SyntaxPropertiesReturn valuesExamplesSee also

AWS::IAM::Policy

Adds or updates an inline policy document that is embedded in the specified IAM group, user or role.

An IAM user can also have a managed policy attached to it. For information about policies, see Managed Policies and Inline Policies in the IAM User Guide.

The Groups, Roles, and Users properties are optional. However, you must specify at least one of these properties.

For information about policy documents see Creating IAM policies in the IAM User Guide.

For information about limits on the number of inline policies that you can embed in an identity, see Limitations on IAM Entities in the IAM User Guide.

Important

This resource does not support drift detection . The following inline policy resource types support drift detection:

Syntax

To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON

{
  "Type" : "AWS::IAM::Policy",
  "Properties" : {
      "Groups" : [ String, ... ],
      "PolicyDocument" : Json,
      "PolicyName" : String,
      "Roles" : [ String, ... ],
      "Users" : [ String, ... ]
    }
}

YAML

Type: AWS::IAM::Policy
Properties:
  Groups: 
    - String
  PolicyDocument: Json
  PolicyName: String
  Roles: 
    - String
  Users: 
    - String

Properties

Groups

The name of the group to associate the policy with.

This parameter allows (through its regex pattern) a string of characters consisting of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters: _+=,.@-.

Required: No

Type: Array of String

Pattern: [\w+=,.@-]+

Minimum: 1

Maximum: 128

Update requires: No interruption

PolicyDocument

The policy document.

You must provide policies in JSON format in IAM. However, for AWS CloudFormation templates formatted in YAML, you can provide the policy in JSON or YAML format. AWS CloudFormation always converts a YAML policy to JSON format before submitting it to IAM.

The regex pattern used to validate this parameter is a string of characters consisting of the following:

  • Any printable ASCII character ranging from the space character (\u0020) through the end of the ASCII character range

  • The printable characters in the Basic Latin and Latin-1 Supplement character set (through \u00FF)

  • The special characters tab (\u0009), line feed (\u000A), and carriage return (\u000D)

Required: Yes

Type: Json

Minimum: 1

Maximum: 131072

Update requires: No interruption

PolicyName

The name of the policy document.

This parameter allows (through its regex pattern) a string of characters consisting of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters: _+=,.@-

Required: Yes

Type: String

Minimum: 1

Maximum: 128

Update requires: No interruption

Roles

The name of the role to associate the policy with.

This parameter allows (per its regex pattern) a string of characters consisting of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters: _+=,.@-

Note

If an external policy (such as AWS::IAM::Policy or AWS::IAM::ManagedPolicy) has a Ref to a role and if a resource (such as AWS::ECS::Service) also has a Ref to the same role, add a DependsOn attribute to the resource to make the resource depend on the external policy. This dependency ensures that the role's policy is available throughout the resource's lifecycle. For example, when you delete a stack with an AWS::ECS::Service resource, the DependsOn attribute ensures that AWS CloudFormation deletes the AWS::ECS::Service resource before deleting its role's policy.

Required: No

Type: Array of String

Update requires: No interruption

Users

The name of the user to associate the policy with.

This parameter allows (through its regex pattern) a string of characters consisting of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters: _+=,.@-

Required: No

Type: Array of String

Pattern: [\w+=,.@-]+

Minimum: 1

Maximum: 128

Update requires: No interruption

Return values

Ref

When the logical ID of this resource is provided to the Ref intrinsic function, Ref returns the resource name.

For more information about using the Ref function, see Ref.

Examples

IAM Policy with policy group

JSON

{
    "Type": "AWS::IAM::Policy",
    "Properties": {
        "PolicyName": "CFNUsers",
        "PolicyDocument": {
            "Version": "2012-10-17",
            "Statement": [
                {
                    "Effect": "Allow",
                    "Action": [
                        "cloudformation:Describe*",
                        "cloudformation:List*",
                        "cloudformation:Get*"
                    ],
                    "Resource": "*"
                }
            ]
        },
        "Groups": [
            {
                "Ref": "CFNUserGroup"
            }
        ]
    }
}

YAML

Type: 'AWS::IAM::Policy'
Properties:
  PolicyName: CFNUsers
  PolicyDocument:
    Version: "2012-10-17"
    Statement:
      - Effect: Allow
        Action:
          - 'cloudformation:Describe*'
          - 'cloudformation:List*'
          - 'cloudformation:Get*'
        Resource: '*'
  Groups:
    - !Ref CFNUserGroup

IAM Policy with specified role

JSON

{
    "Type": "AWS::IAM::Policy",
    "Properties": {
        "PolicyName": "root",
        "PolicyDocument": {
            "Version": "2012-10-17",
            "Statement": [
                {
                    "Effect": "Allow",
                    "Action": "*",
                    "Resource": "*"
                }
            ]
        },
        "Roles": [
            {
                "Ref": "RootRole"
            }
        ]
    }
}

YAML

Type: 'AWS::IAM::Policy'
Properties:
  PolicyName: root
  PolicyDocument:
    Version: "2012-10-17"
    Statement:
      - Effect: Allow
        Action: '*'
        Resource: '*'
  Roles:
    - !Ref RootRole

See also