AWS IAM: Attach Policies to Roles and Users

Q: AWS IAM: Attach Policies to Roles and Users

## Attaching IAM Policies After creating an IAM role or user, you need to attach policies that grant permissions. AWS supports two types: managed policies (reusable, versioned) and inline policies (embedded directly in the role). ### Attach a Managed Policy to a Role bash aws iam attach-role-policy \ --role-name lambda-exec-role \ --policy-arn arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess ### Common AWS Managed Policies | Policy ARN | Grants | |-----------|--------| | arn:aws:iam::aws

Attach managed and inline IAM policies to roles and users using aws iam attach-role-policy and put-role-policy commands.

IAM Operations

Detailed Explanation

Attaching IAM Policies

After creating an IAM role or user, you need to attach policies that grant permissions. AWS supports two types: managed policies (reusable, versioned) and inline policies (embedded directly in the role).

Attach a Managed Policy to a Role

aws iam attach-role-policy \
  --role-name lambda-exec-role \
  --policy-arn arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess

Common AWS Managed Policies

Policy ARN	Grants
`arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess`	Read-only S3
`arn:aws:iam::aws:policy/AmazonS3FullAccess`	Full S3 access
`arn:aws:iam::aws:policy/AmazonDynamoDBFullAccess`	Full DynamoDB
`arn:aws:iam::aws:policy/AWSLambdaBasicExecutionRole`	CloudWatch Logs for Lambda
`arn:aws:iam::aws:policy/AmazonEC2FullAccess`	Full EC2 access
`arn:aws:iam::aws:policy/AdministratorAccess`	Full AWS access (use cautiously)

Add an Inline Policy

aws iam put-role-policy \
  --role-name lambda-exec-role \
  --policy-name s3-write-specific-bucket \
  --policy-document '{
    "Version": "2012-10-17",
    "Statement": [{
      "Effect": "Allow",
      "Action": ["s3:PutObject", "s3:DeleteObject"],
      "Resource": "arn:aws:s3:::my-upload-bucket/*"
    }]
  }'

Attach Policy to a User

aws iam attach-user-policy \
  --user-name developer \
  --policy-arn arn:aws:iam::aws:policy/PowerUserAccess

List Attached Policies

aws iam list-attached-role-policies --role-name lambda-exec-role

Detach a Policy

aws iam detach-role-policy \
  --role-name lambda-exec-role \
  --policy-arn arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess

Best Practice: Least Privilege

Always start with the minimum permissions needed and add more only when required. Use inline policies for specific, narrow permissions and managed policies for broad, reusable permission sets.

Use Case

Granting Lambda functions access to S3 or DynamoDB, setting up developer IAM users with appropriate permissions, configuring service roles for ECS tasks, or implementing least-privilege access patterns.

Try It — AWS CLI Command Builder

Open full tool →