IAM best practices and Creating Custom policy

Understanding IAM best practices:

Here is the link to get the best practices given by AWS:


  • Lock Away Your AWS Account Root User Access Keys
  • Create Individual IAM Users
  • Use Groups to Assign Permissions to IAM Users
  • Use AWS Defined Policies to Assign Permissions Whenever Possible
  • Grant Least Privilege – One of the important practices
  • Use Access Levels to Review IAM Permissions
  • Configure a Strong Password Policy for Your Users
  • Enable MFA for Privileged Users
  • Use Roles for Applications That Run on Amazon EC2 Instances
  • Delegate by Using Roles Instead of by Sharing Credentials
  • Rotate Credentials Regularly
  • Remove Unnecessary Credentials
  • Use Policy Conditions for Extra Security
  • Monitor Activity in Your AWS Account

AWS managed policies and creating custom policies

In this topic, we will explore the below

  • For policies, go to My Security Credentials –> Dashboard –> Policies, you should see the list of Amazon Defined Policies. It is a best practice to use these default policies only to assign the permissions.
  • By clicking on a policy, you can see below information
    • Policy details in two forms – Policy information in a tabular form or in JSON form. JSON form will help us to create the custom policy in the future.
      We can see the attached entities (group or user) to the policy.
    • Policy version information, you can get the json information
    • Access advisor – How this policy being used in AWS account by different users on the day-day basis.
  • E.g.: There are two AWS managed policies related to S3 service.
    • AmazonS3FullAccess – can create a bucket on S3, delete a bucket on S3, copy files, change permissions & etc.
    • AmazonS3ReadOnlyAccess – we can only read and list.
  • We can create the custom policy by clicking on the “Create policy”.
  • Once you click on Create, we should select the service first from the list of AWS services.
  • Select the actions – read, write and list etc.
  • And then select the Resources – either all resources can be selected or at bucket level or at object level by specifying that resource or by specifying the ARN (Amazon Resource Number).
  • And then click on review policy to give the policy name and description.
  • And click on the “create policy”, which will be added to the existing policies list.
  • You can view or edit policy information by clicking on the policy.
  • We can also clone the entire policy using the Import Managed Policy option or clone some properties by opening the policy information.