Example IAM Policies

This policy prevents principals from deleting EC2 flow logs or CloudWatch log gr...

This policy prevents principals from creating certain resource types if the requ...

This policy prevents principals from disabling GuardDuty or altering its configu...

This policy requires any EC2 instance spun up be of the specified type

This policy prevents any principals from disabling or modifying AWS Config or an...

This policy prevents any principals from disabling or modifying CloudWatch dashb...

This policy blocks use of the LeaveOrganization API operation so that administra...

This SCP requires MFA to be enabled for any principal requesting select API acti...

This SCP prevents principals from making IAM changes to a specified IAM Role

This SCP denies access to any operations outside of the specified Regions.

Permits connection from only a specific public IP range

Grant n AWS accounts, any principal, to connect to ECR resource and upload image...

Grant other accounts access to an ECR, account-wide

Policy for principal (User, Service) to access cross-account secret and KMS CMK...

For public access, permit only specific CloudFront distribution

IAM assume role trust policy which permits assuming only from specific role(s)

Permit EC2 instance to assume IAM role with this trust policy

Trust policy on an IAM role to permit an ECS task (launched container) to assume...

Secrets decryption is a sensitive operation and should not be done by most human...

Useful for dev/stage web development, where site is stored in s3. Can use many p...

Share Secrets Manager secret contents between accounts

Permits other account IAM roles to decrypt KMS key

Default policy which grants access to the root user to this KMS key.

Permit an IAM User to read and write to an S3 bucket