Create a customer managed IAM policy
📑 On this page
Part 95 of AWS from Zero. This lesson changes or inspects one IAM concept so the permission model stays understandable.
What we are learning
A customer managed policy is a standalone IAM resource with an ARN and version history.
Before you run it
ACCOUNT_ID=$(aws sts get-caller-identity --query Account --output text)
POLICY_NAME="AwsZeroListBuckets"
cat > list-buckets-policy.json <<'EOF'
{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Action": "s3:ListAllMyBuckets",
"Resource": "*"
}]
}
EOFValidate the file with IAM Access Analyzer before creating the policy.
The command
POLICY_ARN=$(aws iam create-policy \
--policy-name "$POLICY_NAME" \
--description "AWS from Zero list-buckets demo" \
--policy-document file://list-buckets-policy.json \
--tags Key=Series,Value=aws-from-zero \
--query "Policy.Arn" \
--output text)
echo "$POLICY_ARN"IAM writes can take a short time to propagate. Inspect the resource after every change.
Inspect the result
aws iam get-policy \
--policy-arn "$POLICY_ARN" \
--query "Policy.{Name:PolicyName,Arn:Arn,DefaultVersion:DefaultVersionId,Attachments:AttachmentCount}" \
--output tableRead the returned ARN, path, IDs, and attachment state instead of checking only the command exit code.
One tiny variation
aws iam list-policies \
--scope Local \
--query "Policies[?PolicyName=='AwsZeroListBuckets'].Arn" \
--output textScope Local excludes AWS managed policies and returns policies owned by your account.
Common mistake
Policy names are not enough for attachment or deletion. Preserve and use the full policy ARN.
Cleanup
aws iam delete-policy --policy-arn "$POLICY_ARN"
rm list-buckets-policy.jsonA managed policy can be deleted only after it is detached and its non-default versions are removed. Keep it for the next lessons if following in order.
Next, we will learn Inspect IAM managed policy metadata.