IAM Policy Examples

• Administrator Access
  Grants full access to AWS services and resources.
  { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "*", "Resource": "*" } ] }
• Power User Access
  Grants full access to AWS services and resources, but does not allow management of Users and groups
  { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "NotAction": [ "iam:*", "organizations:*", "account:*" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "iam:CreateServiceLinkedRole", "iam:DeleteServiceLinkedRole", "iam:ListRoles", "organizations:DescribeOrganization", "account:ListRegions" ], "Resource": "*" } ] }
• Amazon S3 Scoped Access to a project specific bucket directory (prefix)
  Provides full access to a dedicated prefix (S3 directory simulation) within a project specific bucket, but does not allow access to other prefixes within this bucket, other buckets or other services.
  { "Version": "2012-10-17", "Statement": [ { "Action": ["s3:ListAllMyBuckets", "s3:GetBucketLocation"], "Effect": "Allow", "Resource": ["arn:aws:s3:::*"] }, { "Action": ["s3:ListBucket"], "Effect": "Allow", "Resource": ["arn:aws:s3:::project-xyz-bucket"], "Condition":{"StringEquals":{"s3:prefix":["","artifacts/"],"s3:delimiter":["/"]}} }, { "Action": ["s3:ListBucket"], "Effect": "Allow", "Resource": ["arn:aws:s3:::project-xyz-bucket"], "Condition":{"StringLike":{"s3:prefix":["artifacts/*"]}} }, { "Action":["s3:*"], "Effect":"Allow", "Resource": ["arn:aws:s3:::project-xyz-bucket/artifacts", "arn:aws:s3:::project-xyz-bucket/artifacts/*"] } ] }
• AWS CodeDeploy Deployer Access
  Provides access to register and deploy a revision.
  { "Version": "2012-10-17", "Statement": [ { "Action": [ "codedeploy:Batch*", "codedeploy:CreateDeployment", "codedeploy:Get*", "codedeploy:List*", "codedeploy:RegisterApplicationRevision" ], "Effect": "Allow", "Resource": "*" } ] }
• AWS Elastic Beanstalk Full Access
  Provides full access to AWS Elastic Beanstalk and underlying services that it requires such as S3 and EC2.
  { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "elasticbeanstalk:*", "ec2:*", "elasticloadbalancing:*", "autoscaling:*", "cloudwatch:*", "s3:*", "sns:*", "cloudformation:*", "rds:*", "sqs:*", "iam:PassRole" ], "Resource": "*" } ] }
• Amazon Elastic Container Service Full Access
  Provides administrative access to Amazon ECS resources.
  { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "autoscaling:Describe*", "autoscaling:UpdateAutoScalingGroup", "cloudformation:CreateStack", "cloudformation:DeleteStack", "cloudformation:DescribeStack*", "cloudformation:UpdateStack", "cloudwatch:GetMetricStatistics", "ec2:Describe*", "elasticloadbalancing:*", "ecs:*", "iam:ListInstanceProfiles", "iam:ListRoles", "iam:PassRole" ], "Resource": "*" } ] }
• AWS Lambda Full Access
  Provides full access to Lambda, S3, DynamoDB, CloudWatch Metrics and Logs.
  { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "cloudwatch:*", "cognito-identity:ListIdentityPools", "cognito-sync:GetCognitoEvents", "cognito-sync:SetCognitoEvents", "dynamodb:*", "events:*", "iam:ListAttachedRolePolicies", "iam:ListRolePolicies", "iam:ListRoles", "iam:PassRole", "kinesis:DescribeStream", "kinesis:ListStreams", "kinesis:PutRecord", "lambda:*", "logs:*", "s3:*", "sns:ListSubscriptions", "sns:ListSubscriptionsByTopic", "sns:ListTopics", "sns:Subscribe", "sns:Unsubscribe" ], "Resource": "*" } ] }

IAM Policy Simulator

The IAM Policy Simulator (introduction | direct link) is a tool that enables you to test the effects of an IAM policy before you commit it to production.

AWS Policy Generator

The AWS Policy Generator is a tool that enables you to create policies that control access to Amazon Web Services (AWS) products and resources.

Info The AWS Policy Generator can generate different types of policies - please ensure to generate an identity-based IAM policy, other policy types are not applicable here.