Appendix B. Creating IAM Policies in AWS


This section provides instructions on steps performed in a third-party application. Keep in mind that the instructions may become outdated. For up-to-date instructions, see AWS Documentation.

When you create an IAM role, you must define permissions that the role will have in AWS. To define the role permissions, you must create an IAM policy and attach it to the IAM role. For more information on managing IAM identity permissions, see AWS Documentation.

To create an IAM policy using the AWS Management Console, do the following:

  1. Log in to the AWS Management Console using credentials of an AWS account in which you want to create the IAM policy.
  2. Navigate to All Services > Security, Identity, & Compliance and click IAM.
  3. In the IAM console, navigate to Access Management > Policies and click Create policy.
  4. Complete the Create policy wizard:
  1. At the Editor step of the wizard, switch to the JSON tab.
  2. Type or paste a JSON policy document.

The JSON policy document must include permissions required for an IAM role to which you want to attach the policy. For more information on required permissions, see IAM Permissions. To learn how to write JSON policy documents, see AWS Documentation.


Consider the following AWS limitations on IAM policy sizing:

  • The size of a managed IAM policy cannot exceed 6.144 characters. For more information on managed IAM policies, see AWS Documentation.
  • The total size of all inline IAM policies added to an IAM role cannot exceed 10.240 characters. For more information on inline IAM policies, see AWS Documentation.

For more information on IAM character limits, see AWS Documentation.

  1. At the Tags step of the wizard, specify AWS tags that will be assigned to the IAM policy.
  2. At the Review step of the wizard, specify a name and description for the IAM policy. Review the configured settings and click Create policy.

After you create a policy, you can attach it to IAM roles as described in section Appendix A. Creating IAM Roles in AWS.