Sign In to the Console
AWS CloudFormation
User Guide (API Version 2010-05-15)

AWS Documentation » AWS CloudFormation » User Guide » Template Reference » AWS Resource and Property Types Reference » AWS Identity and Access Management Resource Types Reference » AWS::IAM::ManagedPolicy

AWS::IAM::ManagedPolicy

AWS::IAM::ManagedPolicy creates an AWS Identity and Access Management (IAM) managed policy for your AWS account, which you can use to apply permissions to IAM users, groups, and roles. For more information about managed policies, see Managed Policies and Inline Policies in the IAM User Guide guide.

Syntax

To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON

{
  "Type": "AWS::IAM::ManagedPolicy",
  "Properties": {
    "Description" : String,
    "Groups" : [ String, ... ],
    "Path" : String,
    "PolicyDocument" : JSON object,
    "Roles" : [ String, ... ],
    "Users" : [ String, ... ],
    "ManagedPolicyName" : String
  }
}

YAML

Type: AWS::IAM::ManagedPolicy
Properties: 
  Description: String
  Groups:
    - String
  Path: String
  PolicyDocument: JSON object
  Roles:
    - String
  Users:
    - String
  ManagedPolicyName: String

Properties

Description

A description of the IAM policy. For example, describe the permissions that are defined in the policy.

Required: No

Type: String

Update requires: Replacement

Groups

The names of IAM groups to attach to this policy.

Required: No

Type: List of String values

Update requires: No interruption

Path

The path for the IAM policy. By default, the path is /. For more information, see IAM Identifiers in the IAM User Guide.

Required: No

Type: String

Update requires: Replacement

PolicyDocument

Policies that define the permissions for this managed policy. For more information about policy syntax, see IAM Policy Elements Reference in IAM User Guide.

Required: Yes

Type: JSON object

Note

AWS Identity and Access Management (IAM) requires that policies be in JSON format. However, for templates formatted in YAML, you can create an IAM policy in either JSON or YAML format. AWS CloudFormation always converts a policy to JSON format before submitting it to IAM.

Update requires: No interruption

Roles

The names of IAM roles to attach to this policy.

Note

If a policy has a Ref to a role and if a resource (such as AWS::ECS::Service) also has a Ref to the same role, add a DependsOn attribute to the resource so that the resource depends on the policy. This dependency ensures that the role's policy is available throughout the resource's lifecycle. For example, when you delete a stack with an AWS::ECS::Service resource, the DependsOn attribute ensures that the AWS::ECS::Service resource can complete its deletion before its role's policy is deleted.

Required: No

Type: List of String values

Update requires: No interruption

Users

The names of users to attach to this policy.

Required: No

Type: List of String values

Update requires: No interruption

ManagedPolicyName

A custom, friendly name for your IAM managed policy. For valid values, see the PolicyName parameter of the CreatePolicy action in the IAM API Reference.

If you don't specify a PolicyName, AWS CloudFormation generates a unique physical ID and uses that ID for the policy name. For more information, see Name Type.

Important

If you specify a name, you cannot perform updates that require replacement of this resource. You can perform updates that require no or some interruption. If you must replace the resource, specify a new name.

Required: No

Type: String

Update requires: Replacement

Return Values

Ref

When the logical ID of this resource is provided to the Ref intrinsic function, Ref returns the ARN.

In the following sample, the Ref function returns the ARN of the CreateTestDBPolicy managed policy, such as arn:aws:iam::123456789012:policy/teststack-CreateTestDBPolicy-16M23YE3CS700. 

{ "Ref": "CreateTestDBPolicy" }

For more information about using the Ref function, see Ref.

Example

The following example creates a managed policy and associates it with the TestDBGroup group. The managed policy grants users permission to create t2.micro database instances. The database must use the MySQL database engine and the instance name must include the prefix test.

JSON

"CreateTestDBPolicy" : {
  "Type" : "AWS::IAM::ManagedPolicy",
  "Properties" : {
    "Description" : "Policy for creating a test database",
    "Path" : "/",
    "PolicyDocument" :   {
      "Version":"2012-10-17", 
      "Statement" : [{
        "Effect" : "Allow",           
        "Action" : "rds:CreateDBInstance",
        "Resource" : {"Fn::Join" : [ "", [ "arn:aws:rds:", { "Ref" : "AWS::Region" }, ":", { "Ref" : "AWS::AccountId" }, ":db:test*" ] ]}, 
        "Condition" : {
          "StringEquals" : { "rds:DatabaseEngine" : "mysql" }
        }
      },
      {
        "Effect" : "Allow",           
        "Action" : "rds:CreateDBInstance",
        "Resource" : {"Fn::Join" : [ "", [ "arn:aws:rds:", { "Ref" : "AWS::Region" }, ":", { "Ref" : "AWS::AccountId" }, ":db:test*" ] ]}, 
        "Condition" : {
          "StringEquals" : { "rds:DatabaseClass" : "db.t2.micro" }
        }
      }]
    },
    "Groups" : ["TestDBGroup"]
  }
}

YAML

CreateTestDBPolicy: 
  Type: AWS::IAM::ManagedPolicy
  Properties: 
    Description: "Policy for creating a test database"
    Path: "/"
    PolicyDocument: 
      Version: "2012-10-17"
      Statement: 
        - 
          Effect: "Allow"
          Action: "rds:CreateDBInstance"
          Resource: 
            Fn::Join: 
              - ""
              - 
                - "arn:aws:rds:"
                - 
                  Ref: "AWS::Region"
                - ":"
                - 
                  Ref: "AWS::AccountId"
                - ":db:test*"
          Condition: 
            StringEquals: 
              rds:DatabaseEngine: "mysql"
        - 
          Effect: "Allow"
          Action: "rds:CreateDBInstance"
          Resource: 
            Fn::Join: 
              - ""
              - 
                - "arn:aws:rds:"
                - 
                  Ref: "AWS::Region"
                - ":"
                - 
                  Ref: "AWS::AccountId"
                - ":db:test*"
          Condition: 
            StringEquals: 
              rds:DatabaseClass: "db.t2.micro"
    Groups: 
      - "TestDBGroup"