Help Center/ IAM Identity Center/ User Guide/ Permissions Management/ Creating IAM Custom Policies for IAM Identity Center
Updated on 2024-02-21 GMT+08:00

Creating IAM Custom Policies for IAM Identity Center

You can create custom policies to supplement the system-defined policies of IAM Identity Center.

To create a custom policy, choose either visual editor or JSON.

  • Visual editor: Select cloud services, actions, resources, and request conditions. This does not require knowledge of policy syntax.
  • JSON: Create a JSON policy or edit an existing one.

For details, see Creating a Custom Policy. The following lists examples of common IAM Identity Center custom policies.

Example Custom Policies

  • Example 1: Grant permission to create a permission set.
    {
        "Version": "1.1",
        "Statement": [
            {
                "Effect": "Allow",
                "Action": [
                    "IdentityCenter:permissionSet:create"
                ]
            },
            {
                "Effect": "Allow",
                "Action": [
                    "organizations:delegatedAdministrators:list"
                ]
            }
        ]
    }
  • Example 2: Grant permission to deny permission set deletion.

    A policy with only "Deny" permissions must be used together with other policies. If the permissions granted to an IAM user contain both "Allow" and "Deny", the "Deny" permissions take precedence over the "Allow" permissions.

    Assume that you want to grant the permissions of the IdentityCenter FullAccess policy to a user but want to prevent them from deleting permission sets. You can create a custom policy for denying permission set deletion, and attach this policy together with the IdentityCenter FullAccess policy to the user. As an explicit deny in any policy overrides any allows, the user can perform all operations in IAM Identity Center excepting deleting permission sets.

    Example policy denying permission set deletion:

    {
        "Version": "1.1",
        "Statement": [
            {
                "Effect": "Deny",
                "Action": [
                    "IdentityCenter:permissionSet:delete"
                ]
            }
        ]
    }
  • Example 3: Create a custom policy containing multiple actions.

    A custom policy can contain the actions of one or multiple services that are of the same type (global or project-level).

    Example policy containing multiple actions:

    {
        "Version": "1.1",
        "Statement": [
            {
                "Effect": "Allow",
                "Action": [
                    "IdentityCenter:permissionSet:delete",
                    "IdentityCenter:user:create",
                    "IdentityCenter:permissionSet:create"
                ]
            },
            {
                "Effect": "Allow",
                "Action": [
                    "organizations:delegatedAdministrators:list"
                ]
            }
        ]
    }