← All posts
2 min read

Detach a managed policy from an IAM user

#aws#cli#iam#security#identity
📑 On this page

Part 99 of AWS from Zero. This lesson changes or inspects one IAM concept so the permission model stays understandable.

What we are learning

Detaching removes one permission path but leaves the managed policy resource available for other identities.

Before you run it

USER_NAME="aws-zero-learner"
POLICY_ARN="arn:aws:iam::123456789012:policy/AwsZeroListBuckets"

List policy entities first so you understand every attachment.

The command

aws iam detach-user-policy \
  --user-name "$USER_NAME" \
  --policy-arn "$POLICY_ARN"

IAM writes can take a short time to propagate. Inspect the resource after every change.

Inspect the result

aws iam list-attached-user-policies \
  --user-name "$USER_NAME" \
  --query "AttachedPolicies[?PolicyArn=='$POLICY_ARN']"

An empty array confirms the direct user attachment is gone.

One tiny variation

aws iam list-entities-for-policy \
  --policy-arn "$POLICY_ARN"

Other group or role attachments may still use the policy.

Common mistake

Do not delete a policy as a substitute for detaching one user. Deletion has a broader blast radius and fails while attachments remain.

Cleanup

# This lesson is read-only or reuses a named demo identity.
aws sts get-caller-identity

Keep shared demo identities only while following the IAM sequence. Part 125 removes them in dependency order.

Next, we will learn Create a new IAM managed policy version.

Official AWS CLI reference