# Edit IAM policies


A [policy](access_policies.md) is an entity that, when attached to an identity or resource, defines their permissions. Policies are stored in AWS as JSON documents and are attached to principals as *identity-based policies* in IAM. You can attach an identity-based policy to a principal (or identity), such as an IAM user group, user, or role. Identity-based policies include AWS managed policies, customer managed policies, and [inline policies](access_policies_managed-vs-inline.md). You can edit customer managed policies and inline policies in IAM. AWS managed policies cannot be edited. The number and size of IAM resources in an AWS account are limited. For more information, see [IAM and AWS STS quotas](reference_iam-quotas.md).

It's generally better to use customer managed policies instead of inline policies or AWS managed policies. AWS managed policies usually provide broad administrative or read-only permissions. Inline policies can't be reused on other identities or managed outside of the identity where they exist. For the greatest security, [grant the least privilege](best-practices.md#grant-least-privilege), which means granting only the permissions required to perform specific job tasks.

When you create or edit IAM policies, AWS can automatically perform policy validation to help you create an effective policy with least privilege in mind. In the AWS Management Console, IAM identifies JSON syntax errors, while IAM Access Analyzer provides additional policy checks with recommendations to help you further refine your policies. To learn more about policy validation, see [IAM policy validation](access_policies_policy-validator.md). To learn more about IAM Access Analyzer policy checks and actionable recommendations, see [IAM Access Analyzer policy validation](https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-policy-validation.html).

You can use the AWS Management Console, AWS CLI, or AWS API to edit customer managed policies and inline policies in IAM. For more information about using CloudFormation templates to add or update policies, see [AWS Identity and Access Management resource type reference](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/AWS_IAM.html) in the *CloudFormation User Guide*.

**Topics**
+ [

# Edit IAM policies (console)
](access_policies_manage-edit-console.md)
+ [

# Edit IAM policies (AWS CLI)
](access_policies_manage-edit-cli.md)
+ [

# Edit IAM policies (AWS API)
](access_policies_manage-edit-api.md)

# Edit IAM policies (console)


A [policy](access_policies.md) is an entity that, when attached to an identity or resource, defines their permissions. You can use the AWS Management Console to edit *customer managed policies* and *inline policies* in IAM. AWS managed policies cannot be edited. The number and size of IAM resources in an AWS account are limited. For more information, see [IAM and AWS STS quotas](reference_iam-quotas.md).

For more information about policy structure and syntax, see [Policies and permissions in AWS Identity and Access Management](access_policies.md) and the [IAM JSON policy element reference](reference_policies_elements.md).

## Prerequisites


Before you change the permissions for a policy, you should review its recent service-level activity. This is important because you don't want to remove access from a principal (person or application) who is using it. For more information about viewing last accessed information, see [Refine permissions in AWS using last accessed information](access_policies_last-accessed.md).

## Editing customer managed policies (console)


You can edit customer managed policies to change the permissions that are defined in the policy from the AWS Management Console. A customer managed policy can have up to five versions. This is important because if you make changes to a managed policy beyond five versions, the AWS Management Console prompts you to decide which version to delete. You can also change the default version or delete a version of a policy before you edit it to avoid being prompted. To learn more about versions, see [Versioning IAM policies](access_policies_managed-versioning.md).

------
#### [ Console ]

**To edit a customer managed policy**

1. Sign in to the AWS Management Console and open the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/).

1. In the navigation pane, choose **Policies**.

1. In the list of policies, choose the policy name of the policy to edit. You can use the search box to filter the list of policies.

1. Choose the **Permissions** tab, and then choose **Edit**. 

1. Do one of the following:
   + Choose the **Visual** option to change your policy without understanding JSON syntax. You can make changes to the service, actions, resources, or optional conditions for each permission block in your policy. You can also import a policy to add additional permissions to the bottom of your policy. When you are finished making changes, choose **Next** to continue.
   + Choose the **JSON** option to modify your policy by typing or pasting text in the JSON text box. You can also import a policy to add additional permissions to the bottom of your policy. Resolve any security warnings, errors, or general warnings generated during [policy validation](access_policies_policy-validator.md), and then choose **Next**. 
**Note**  
You can switch between the **Visual** and **JSON** editor options any time. However, if you make changes or choose **Next** in the **Visual** editor, IAM might restructure your policy to optimize it for the visual editor. For more information, see [Policy restructuring](troubleshoot_policies.md#troubleshoot_viseditor-restructure).

1. On the **Review and save** page, review **Permissions defined in this policy** and then choose **Save changes** to save your work.

1. If the managed policy already has the maximum of five versions, choosing **Save changes** displays a dialog box. To save your new version, the oldest non-default version of the policy is removed and replaced with this new version. Optionally, you can set the new version as the default policy version.

   Choose **Save changes** to save your new policy version.

------

## Setting the default version of a customer managed policy (console)


You can set a default version of a customer managed policy from the AWS Management Console. You can use this policy to establish a consistent baseline configuration for permissions across your organization. All new attachments of the policy will use this standardized set of permissions.

------
#### [  Console  ]

**To set the default version of a customer managed policy (console)**

1. Sign in to the AWS Management Console and open the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/).

1. In the navigation pane, choose **Policies**.

1. In the list of policies, choose the policy name of the policy to set the default version of. You can use the search box to filter the list of policies.

1. Choose the **Policy versions** tab. Select the check box next to the version that you want to set as the default version, and then choose **Set as default**.

------

## Deleting a version of a customer managed policy (console)


You might need to delete a version of a customer managed policy to remove outdated or incorrect permissions that are no longer needed or pose potential security risks. By maintaining only necessary versions, you can help ensure that you stay within the limit of five managed policy versions, allowing room for future updates and refinements. You can delete a version of a customer managed policy from the AWS Management Console.

------
#### [ Console ]

**To delete a version of a customer managed policy**

1. Sign in to the AWS Management Console and open the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/).

1. In the navigation pane, choose **Policies**.

1. Choose the name of the customer managed policy that has a version you want to delete. You can use the search box to filter the list of policies.

1. Choose the **Policy versions** tab. Select the check box next to the version that you want to delete. Then choose **Delete**.

1. Confirm that you want to delete the version, and then choose **Delete**.

------

## Editing inline policies (console)


You might need to edit a customer managed policy to update or refine the permissions granted, ensuring they remain aligned with your organization's evolving security requirements and access control needs. Editing allows you to adjust the policy's JSON document, adding, modifying, or removing specific actions, resources, or conditions to maintain the principle of least privilege and adapt to changes in your environment or processes. You can edit an inline policy from the AWS Management Console.

------
#### [ Console ]

**To edit an inline policy for a user, user group, or role**

1. In the navigation pane, choose **Users**, **User groups**, or **Roles**.

1. Choose the name of the user, user group, or role with the policy that you want to modify. Then choose the **Permissions** tab and expand the policy.

1. To edit an inline policy, choose **Edit Policy**. 

1. Do one of the following:
   + Choose the **Visual** option to change your policy without understanding JSON syntax. You can make changes to the service, actions, resources, or optional conditions for each permission block in your policy. You can also import a policy to add additional permissions to the bottom of your policy. When you are finished making changes, choose **Next** to continue.
   + Choose the **JSON** option to modify your policy by typing or pasting text in the JSON text box. You can also import a policy to add additional permissions to the bottom of your policy. Resolve any security warnings, errors, or general warnings generated during [policy validation](access_policies_policy-validator.md), and then choose **Next**. To save your changes without affecting the currently attached entities, clear the check box for **Save as default version**.
**Note**  
You can switch between the **Visual** and **JSON** editor options any time. However, if you make changes or choose **Next** in the **Visual** editor, IAM might restructure your policy to optimize it for the visual editor. For more information, see [Policy restructuring](troubleshoot_policies.md#troubleshoot_viseditor-restructure).

1. On the **Review** page, review the policy summary and then choose **Save changes** to save your work.

------

# Edit IAM policies (AWS CLI)
Edit IAM policies (CLI)

A [policy](access_policies.md) is an entity that, when attached to an identity or resource, defines their permissions. You can use the AWS Command Line Interface (AWS CLI) to edit *customer managed policies* and *inline policies* in IAM. AWS managed policies cannot be edited. The number and size of IAM resources in an AWS account are limited. For more information, see [IAM and AWS STS quotas](reference_iam-quotas.md).

For more information about policy structure and syntax, see [Policies and permissions in AWS Identity and Access Management](access_policies.md) and the [IAM JSON policy element reference](reference_policies_elements.md).

## Prerequisites


Before you change the permissions for a policy, you should review its recent service-level activity. This is important because you don't want to remove access from a principal (person or application) who is using it. For more information about viewing last accessed information, see [Refine permissions in AWS using last accessed information](access_policies_last-accessed.md).

## Editing customer managed policies (AWS CLI)


You can edit a customer managed policy from the AWS CLI.

**Note**  
A managed policy can have up to five versions. If you need to make changes to a customer managed policy beyond five versions, you must first delete one or more existing versions.

**To edit a customer managed policy (AWS CLI)**

1. (Optional) To view information about a policy, run the following commands:
   + To list managed policies: [list-policies](https://docs.aws.amazon.com/cli/latest/reference/iam/list-policies.html)
   + To retrieve detailed information about a managed policy: [get-policy](https://docs.aws.amazon.com/cli/latest/reference/iam/get-policy.html)

1. (Optional) To find out about the relationships between the policies and identities, run the following commands:
   + To list the identities (IAM users, IAM groups, and IAM roles) to which a managed policy is attached: 
     + [list-entities-for-policy](https://docs.aws.amazon.com/cli/latest/reference/iam/list-entities-for-policy.html)
   + To list the managed policies attached to an identity (a user, user group, or role):
     + [list-attached-user-policies](https://docs.aws.amazon.com/cli/latest/reference/iam/list-attached-user-policies.html)
     + [list-attached-group-policies](https://docs.aws.amazon.com/cli/latest/reference/iam/list-attached-group-policies.html)
     + [list-attached-role-policies](https://docs.aws.amazon.com/cli/latest/reference/iam/list-attached-role-policies.html)

1. To edit a customer managed policy, run the following command:
   + [create-policy-version](https://docs.aws.amazon.com/cli/latest/reference/iam/create-policy-version.html)

1. (Optional) To validate a customer managed policy, run the following IAM Access Analyzer command:
   + [validate-policy](https://docs.aws.amazon.com/cli/latest/reference/accessanalyzer/validate-policy.html)

## Setting the default version of a customer managed policy (AWS CLI)


You can set a default version of a customer managed policy from the AWS CLI.

**To set the default version of a customer managed policy (AWS CLI)**

1. (Optional) To list managed policies, run the following command:
   + [list-policies](https://docs.aws.amazon.com/cli/latest/reference/iam/list-policies.html)

1. To set the default version of a customer managed policy, run the following command:
   + [set-default-policy-version](https://docs.aws.amazon.com/cli/latest/reference/iam/set-default-policy-version.html)

## Deleting a version of a customer managed policy (AWS CLI)


You can delete a version of a customer managed policy from the AWS CLI.

**To delete a version of a customer managed policy (AWS CLI)**

1. (Optional) To list managed policies, run the following command:
   + [list-policies](https://docs.aws.amazon.com/cli/latest/reference/iam/list-policies.html)

1. To delete a customer managed policy, run the following command:
   + [delete-policy-version](https://docs.aws.amazon.com/cli/latest/reference/iam/delete-policy-version.html)

## Editing inline policies (AWS CLI)


You can edit an inline policy from the AWS CLI.

**To edit an inline policy (AWS CLI)**

1. (Optional) To view information about a policy, run the following commands:
   + To list inline policies associated to an identity (a user, user group, or role): 
     + [list-user-policies](https://docs.aws.amazon.com/cli/latest/reference/iam/list-user-policies.html)
     + [list-role-policies](https://docs.aws.amazon.com/cli/latest/reference/iam/list-role-policies.html)
     + [list-group-policies](https://docs.aws.amazon.com/cli/latest/reference/iam/list-group-policies.html)
   + To retrieve detailed information about a inline policy: 
     + [get-user-policy](https://docs.aws.amazon.com/cli/latest/reference/iam/get-user-policy.html)
     + [get-role-policy](https://docs.aws.amazon.com/cli/latest/reference/iam/get-role-policy.html)
     + [get-group-policy](https://docs.aws.amazon.com/cli/latest/reference/iam/get-group-policy.html)

1. To edit an inline policy, run the following command:
   + [put-user-policy](https://docs.aws.amazon.com/cli/latest/reference/iam/put-user-policy.html)
   + [put-role-policy](https://docs.aws.amazon.com/cli/latest/reference/iam/put-role-policy.html)
   + [put-group-policy](https://docs.aws.amazon.com/cli/latest/reference/iam/put-group-policy.html)

1. (Optional) To validate an inline policy, run the following IAM Access Analyzer command:
   + [validate-policy](https://docs.aws.amazon.com/cli/latest/reference/accessanalyzer/validate-policy.html)

# Edit IAM policies (AWS API)
Edit IAM policies (API)

A [policy](access_policies.md) is an entity that, when attached to an identity or resource, defines their permissions. You can use the AWS API to edit *customer managed policies* and *inline policies* in IAM. AWS managed policies cannot be edited. The number and size of IAM resources in an AWS account are limited. For more information, see [IAM and AWS STS quotas](reference_iam-quotas.md).

For more information about policy structure and syntax, see [Policies and permissions in AWS Identity and Access Management](access_policies.md) and the [IAM JSON policy element reference](reference_policies_elements.md).

## Prerequisites


Before you change the permissions for a policy, you should review its recent service-level activity. This is important because you don't want to remove access from a principal (person or application) who is using it. For more information about viewing last accessed information, see [Refine permissions in AWS using last accessed information](access_policies_last-accessed.md).

## Editing customer managed policies (AWS API)


You can edit a customer managed policy using the AWS API.

**Note**  
A managed policy can have up to five versions. If you need to make changes to a customer managed policy beyond five versions, you must first delete one or more existing versions.

**To edit a customer managed policy (AWS API)**

1. (Optional) To view information about a policy, call the following operations:
   + To list managed policies: [ListPolicies](https://docs.aws.amazon.com/IAM/latest/APIReference/API_ListPolicies.html)
   + To retrieve detailed information about a managed policy: [GetPolicy](https://docs.aws.amazon.com/IAM/latest/APIReference/API_GetPolicy.html)

1. (Optional) To find out about the relationships between the policies and identities, call the following operations:
   + To list the identities (IAM users, IAM groups, and IAM roles) to which a managed policy is attached: 
     + [ListEntitiesForPolicy](https://docs.aws.amazon.com/IAM/latest/APIReference/API_ListEntitiesForPolicy.html)
   + To list the managed policies attached to an identity (a user, user group, or role):
     + [ListAttachedUserPolicies](https://docs.aws.amazon.com/IAM/latest/APIReference/API_ListAttachedUserPolicies.html)
     + [ListAttachedGroupPolicies](https://docs.aws.amazon.com/IAM/latest/APIReference/API_ListAttachedGroupPolicies.html)
     + [ListAttachedRolePolicies](https://docs.aws.amazon.com/IAM/latest/APIReference/API_ListAttachedRolePolicies.html)

1. To edit a customer managed policy, call the following operation:
   + [CreatePolicyVersion](https://docs.aws.amazon.com/IAM/latest/APIReference/API_CreatePolicyVersion.html)

1. (Optional) To validate a customer managed policy, call the following IAM Access Analyzer operation:
   + [ValidatePolicy](https://docs.aws.amazon.com/access-analyzer/latest/APIReference/API_ValidatePolicy.html)

## Setting the default version of a customer managed policy (AWS API)


You can set a default version of a customer managed policy from the AWS API.

**To set the default version of a customer managed policy (AWS API)**

1. (Optional) To list managed policies, call the following operation:
   + [ListPolicies](https://docs.aws.amazon.com/IAM/latest/APIReference/API_ListPolicies.html)

1. To set the default version of a customer managed policy, call the following operation:
   + [SetDefaultPolicyVersion](https://docs.aws.amazon.com/IAM/latest/APIReference/API_SetDefaultPolicyVersion.html)

## Deleting a version of a customer managed policy (AWS API)


You can delete a version of a customer managed policy from the AWS API.

**To delete a version of a customer managed policy (AWS API)**

1. (Optional) To list managed policies, call the following operation:
   + [ListPolicies](https://docs.aws.amazon.com/IAM/latest/APIReference/API_ListPolicies.html)

1. To delete a customer managed policy, call the following operation:
   + [DeletePolicyVersion](https://docs.aws.amazon.com/IAM/latest/APIReference/API_DeletePolicyVersion.html)

## Editing inline policies (AWS API)


You can edit an inline policy from the AWS API.

**To edit an inline policy (AWS API)**

1. (Optional) To view information about an inline policy, run the following operations:
   + To list inline policies associated to an identity (a user, user group, or role): 
     + [ListUserPolicies](https://docs.aws.amazon.com/IAM/latest/APIReference/API_ListUserPolicies.html)
     + [ListRolePolicies](https://docs.aws.amazon.com/IAM/latest/APIReference/API_ListRolePolicies.html)
     + [ListGroupPolicies](https://docs.aws.amazon.com/IAM/latest/APIReference/API_ListGroupPolicies.html)
   + To retrieve detailed information about an inline policy: 
     + [GetUserPolicy](https://docs.aws.amazon.com/IAM/latest/APIReference/API_GetUserPolicy.html)
     + [GetRolePolicy](https://docs.aws.amazon.com/IAM/latest/APIReference/API_GetRolePolicy.html)
     + [GetGroupPolicy](https://docs.aws.amazon.com/IAM/latest/APIReference/API_GetGroupPolicy.html)

1. To edit an inline policy, run the following operations:
   + [PutUserPolicy](https://docs.aws.amazon.com/IAM/latest/APIReference/API_PutUserPolicy.html)
   + [PutRolePolicy](https://docs.aws.amazon.com/IAM/latest/APIReference/API_PutRolePolicy.html)
   + [PutGroupPolicy](https://docs.aws.amazon.com/IAM/latest/APIReference/API_PutGroupPolicy.html)

1. (Optional) To validate an inline policy, run the following IAM Access Analyzer operation:
   + [ValidatePolicy](https://docs.aws.amazon.com/access-analyzer/latest/APIReference/API_ValidatePolicy.html)