Example IAM Policies
Customizable IAM policies across cloud providers to save you authoring time
SCP: Prevent users from deleting Amazon VPC flow logs
This policy prevents principals from deleting EC2 flow logs or CloudWatch log gr...
Aug 09, 2022 by Ivan Dwyer
SCP: Require a tag on specified created resources
This policy prevents principals from creating certain resource types if the requ...
Aug 09, 2022 by Ivan Dwyer
SCP: Prevent users from disabling Amazon GuardDuty
This policy prevents principals from disabling GuardDuty or altering its configu...
Aug 09, 2022 by Ivan Dwyer
SCP: Require Amazon EC2 instances to use a specific type
This policy requires any EC2 instance spun up be of the specified type
Aug 09, 2022 by Ivan Dwyer
SCP: Prevent users from disabling AWS Config
This policy prevents any principals from disabling or modifying AWS Config or an...
Aug 09, 2022 by Ivan Dwyer
SCP: Prevent users from disabling CloudWatch
This policy prevents any principals from disabling or modifying CloudWatch dashb...
Aug 09, 2022 by Ivan Dwyer
SCP: Prevent member accounts from leaving the organization
This policy blocks use of the LeaveOrganization API operation so that administra...
Aug 09, 2022 by Ivan Dwyer
SCP: Require MFA to perform an API action
This SCP requires MFA to be enabled for any principal requesting select API acti...
Aug 09, 2022 by Ivan Dwyer
SCP: Prevent changes to an IAM Role
This SCP prevents principals from making IAM changes to a specified IAM Role
Aug 09, 2022 by Ivan Dwyer
SCP: Deny access to AWS based on the requested AWS Region
This SCP denies access to any operations outside of the specified Regions.
Aug 09, 2022 by Ivan Dwyer
AWS ECR Resource Policy: Block Outside Specific Public IP Ra...
Permits connection from only a specific public IP range
Mar 07, 2022 by Kyler Middleton
AWS ECR: Permit Cross Account Image Upload
Grant n AWS accounts, any principal, to connect to ECR resource and upload image...
Mar 07, 2022 by Kyler Middleton
AWS ECR: Permit Cross Account Image Download
Grant other accounts access to an ECR, account-wide
Feb 16, 2022 by Kyler Middleton
Permit Access to Cross-Account Secret and KMS Key
Policy for principal (User, Service) to access cross-account secret and KMS CMK...
Feb 16, 2022 by Kyler Middleton
S3: Permit Only CloudFront Specific Distribution
For public access, permit only specific CloudFront distribution
Feb 14, 2022 by Kyler Middleton
Assume Role Trust Policy with Conditional to Limit to Specif...
IAM assume role trust policy which permits assuming only from specific role(s)
Feb 02, 2022 by Kyler Middleton
Assume Role Trust Policy from EC2 Instance
Permit EC2 instance to assume IAM role with this trust policy
Feb 02, 2022 by Kyler Middleton
Assume Role Policy to Permit ECS Task to Assume IAM Role
Trust policy on an IAM role to permit an ECS task (launched container) to assume...
Feb 02, 2022 by Kyler Middleton
Allow Principals to Encrypt via KMS but Deny Decrypt via KMS
Secrets decryption is a sensitive operation and should not be done by most human...
Feb 01, 2022 by Daniel Popescu
Limit S3 Web Access to Specific Public IPs
Useful for dev/stage web development, where site is stored in s3. Can use many p...
Jan 24, 2022 by Kyler Middleton
Secrets Manager Secrets IAM Policy to Permit Multi-Account A...
Share Secrets Manager secret contents between accounts
Jan 21, 2022 by Kyler Middleton
Allow Cross-Account KMS Key Decryption to Specific IAM Roles
Permits other account IAM roles to decrypt KMS key
Jan 21, 2022 by Kyler Middleton
Default KMS policy for keys
Default policy which grants access to the root user to this KMS key.
Jan 21, 2022 by Kyler Middleton
Permit User to Read/Write Specific Folder in S3 Bucket
Permit an IAM User to read and write to an S3 bucket
Jan 21, 2022 by Kyler Middleton
Publish With Us!
We’re always seeking fresh content from expert practitioners to extend our resource catalog across a wide range of topics. If you’re interested in publishing with us, fill out the form below and we’ll get in touch about the process.
For every member contributed article, we’ll donate $100 to your charity of choice!
Join the beta waitlist
Enter your email to get notified when our product becomes available to try.
Sign Up for the community
Create your member profile to get involved with our content, programs, and events.