Creating and Deleting a Policy

Creating a Policy

Click the Create Policy button.

Enter a policy name. A list of names may be suggested from which you can select. But, you can enter any name.

Optionally, enter a description.

You can enter code for the policy, as shown in the example below. Or, you can use the Policy Generator, as described in Using the Policy Generator.

Note that the following are the general formats for ARNs:
arn:aws:service:account-id:resource-id
arn:aws:service:account-id:resource-type/resource-id
arn:aws:service:account-id:resource-type:resource-id

Note that syntax errors will be flagged as you enter information. For example, the version is incorrect here:

In this example, the colon (:) is missing after “Resource” in line 7:

When you see a message that the policy is valid, you can click Create Policy to create the new policy.

With a user policy, you can control user access to buckets. In the following example, two users (Alice and Bob) belong to a common group called Consultants. Alice has access to only one bucket named bucket1. Bob has access to only one bucket named bucket2. Three policies are created to achieve this: one policy is attached to the group, one is attached to Alice, and one is attached to Bob.

The Group policy is:

{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowGroupToSeeBucketListInTheConsole", "Effect": "Allow",
"Action": [ "s3:ListAllMyBuckets", "s3:GetBucketVersioning"
],
"Resource": "arn:aws:s3:::*"
},
{
"Effect": "Allow", "Action": [
"iam:Get*",
"iam:List*", "iam:ChangePassword", "iam:UpdateLoginProfile", "iam:*MFA*",
"sts:Get*"
],
"Resource": "arn:aws:iam::${aws:accountid}:user/${aws:username}"
}
]
}

The Alice policy is:

{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowAccessToBucketNamedBucket1", "Effect": "Allow",
"Action": [
"s3:ListBucket", "s3:GetObject", "s3:PutObject", "s3:GetObjectAcl", "s3:PutObjectAcl", "s3:DeleteObject"
],
"Resource": [ "arn:aws:s3:::bucket1", "arn:aws:s3:::bucket1/*"
]
}
]
}

The Bob policy is:

{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowAccessToBucketNamedBucket2", "Effect": "Allow",
"Action": [ "s3:ListBucket", "s3:GetObject", "s3:PutObject", "s3:GetObjectAcl", "s3:PutObjectAcl", "s3:DeleteObject"
],
"Resource": [ "arn:aws:s3:::bucket2", "arn:aws:s3:::bucket2/*"
]
}
]
}

Using the Policy Generator

The Policy Generator enables you to create a policy with conditions using simple user interface controls.

Click the Policy Generator button to begin a new policy creation.

Enter a policy name. A list of names may be suggested from which you can select. But, you can enter any name.

Optionally, enter a description. For example:

Click Rule and then enter information for the rule. For example:

Optionally, you can add conditions using the Condition and Key drop-downs as well as the Value field.

Click ADD CONDITIONS to include more conditions. Clickto delete a condition.

Optionally, you can click + ADD RULE (above the APPLY button in the bottom right) to add another rule for the policy. Then, repeat Steps 2 through 5 to define the rule.

Click APPLY. The generated policy is displayed. For Example:

Click Create Policy.

Deleting a Policy

To delete a policy, you must first delete all versions of it (if versions exist). Refer to Reviewing and Managing Policy Versions.

You cannot delete a policy that is attached to a user, group, or role. To do so, first remove it from the user, group, and/or role and then delete the policy.

On the Policies List panel, click on the policy you want to delete. The Policy panel is displayed. For example:

Click Delete Policy in the top right.

Confirm that you want to delete the policy. Click Delete to do so (otherwise, click Cancel).

Creating and Deleting a Policy

Creating a Policy

Using the Policy Generator

Deleting a Policy

What's Next