# Delete IAM policies You can delete IAM policies using the AWS Management Console, the AWS Command Line Interface (AWS CLI), or the AWS API. **Note** Deletion of IAM policies is permanent. After the policy is deleted it cannot be recovered. For more information about IAM policy structure and syntax, see [Policies and permissions in AWS Identity and Access Management](access_policies.md) and the [IAM JSON policy element reference](reference_policies_elements.md). For more information about the difference between managed and inline policies, see [Managed policies and inline policies](access_policies_managed-vs-inline.md). The number and size of IAM resources in an AWS account are limited. For more information, see [IAM and AWS STS quotas](reference_iam-quotas.md). **Topics** + [ # Delete IAM policies (console) ](access_policies_manage-delete-console.md) + [ # Delete IAM policies (AWS CLI) ](access_policies_manage-delete-cli.md) + [ # Delete IAM policies (AWS API) ](access_policies_manage-delete-api.md) # Delete IAM policies (console) You can use the AWS Management Console to delete *customer managed policies* and *inline policies* in IAM. The number and size of IAM resources in an AWS account are limited. For more information, see [IAM and AWS STS quotas](reference_iam-quotas.md). **Note** Deletion of IAM policies is permanent. After the policy is deleted it cannot be recovered. For more information about IAM policy structure and syntax, see [Policies and permissions in AWS Identity and Access Management](access_policies.md) and the [IAM JSON policy element reference](reference_policies_elements.md). For more information about the difference between managed and inline policies, see [Managed policies and inline policies](access_policies_managed-vs-inline.md). ## Prerequisites Before you delete a policy, you should review its recent service-level activity. This is important because you don't want to remove access from a principal (person or application) who is using it. For more information about viewing last accessed information, see [Refine permissions in AWS using last accessed information](access_policies_last-accessed.md). ## Deleting IAM policies (console) You might need to delete a customer managed policy when it becomes obsolete or no longer aligns with your organization's security requirements and access control needs. By deleting unnecessary policies, you reduce potential security risks associated with outdated or unused policies. You can delete a customer managed policy to remove it from your AWS account. You cannot delete AWS managed policies. ------ #### [ Console ] **To delete a customer managed policy** 1. Sign in to the AWS Management Console and open the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/). 1. In the navigation pane, choose **Policies**. 1. Select the radio button next to the customer managed policy to delete. You can use the search box to filter the list of policies. 1. Choose **Actions**, and then choose **Delete**. 1. Follow the instructions to confirm that you want to delete the policy, and then choose **Delete**. ------ ## Deleting inline policies (console) You might need to delete an inline policy when the specific permissions it grants are no longer required for the IAM user, group, or role to which it's directly attached. Deleting unnecessary inline policies helps reduce the risk of unintended access, especially since inline policies can't be reused or shared across multiple identities like managed policies can. You can delete an inline policy to remove it from your AWS account. You cannot delete AWS managed policies. ------ #### [ Console ] **To delete an inline policy for a IAM user, group, or role** 1. In the navigation pane, choose **User groups**, **Users**, or **Roles**. 1. Choose the name of the user group, user, or role with the policy that you want to delete. Then choose the **Permissions** tab. 1. Select the checkboxes next to the policies to delete and choose **Remove**. Then, in the confirmation dialog, confirm the removal and deletion of the policy. + To delete an inline policy in **Users** or **Roles**, choose **Remove** to confirm the deletion. + If you are deleting a single inline policy in **User groups**, type the name of the policy and choose **Delete**. If you are deleting multiple inline policies in **User groups**, type the number of policies you are deleting followed by **inline policies** and choose **Delete**. For example, if you are deleting three inline policies, type **3 inline policies**. ------ # Delete IAM policies (AWS CLI) You can use the AWS Command Line Interface (AWS CLI) to delete *customer managed policies* and *inline policies* in IAM. The number and size of IAM resources in an AWS account are limited. For more information, see [IAM and AWS STS quotas](reference_iam-quotas.md). **Note** Deletion of IAM policies is permanent. After the policy is deleted it cannot be recovered. For more information about IAM policy structure and syntax, see [Policies and permissions in AWS Identity and Access Management](access_policies.md) and the [IAM JSON policy element reference](reference_policies_elements.md). For more information about the difference between managed and inline policies, see [Managed policies and inline policies](access_policies_managed-vs-inline.md). ## Prerequisites Before you delete a policy, you should review its recent service-level activity. This is important because you don't want to remove access from a principal (person or application) who is using it. For more information about viewing last accessed information, see [Refine permissions in AWS using last accessed information](access_policies_last-accessed.md). ## Deleting customer managed policies (AWS CLI) You can delete a customer managed policy from the AWS Command Line Interface. **To delete a customer managed policy (AWS CLI)** 1. (Optional) To view information about a policy, run the following commands: + To list managed policies: [list-policies](https://docs.aws.amazon.com/cli/latest/reference/iam/list-policies.html) + To retrieve detailed information about a managed policy: [get-policy](https://docs.aws.amazon.com/cli/latest/reference/iam/get-policy.html) 1. (Optional) To find out about the relationships between the policies and identities, run the following commands: + To list the identities (IAM users, IAM groups, and IAM roles) to which a managed policy is attached, run the following command: + [list-entities-for-policy](https://docs.aws.amazon.com/cli/latest/reference/iam/list-entities-for-policy.html) + To list the managed policies attached to an identity (a user, user group, or role), run one of the following commands: + [list-attached-user-policies](https://docs.aws.amazon.com/cli/latest/reference/iam/list-attached-user-policies.html) + [list-attached-group-policies](https://docs.aws.amazon.com/cli/latest/reference/iam/list-attached-group-policies.html) + [list-attached-role-policies](https://docs.aws.amazon.com/cli/latest/reference/iam/list-attached-role-policies.html) 1. To delete a customer managed policy, run the following command: + [delete-policy](https://docs.aws.amazon.com/cli/latest/reference/iam/delete-policy.html) ## Deleting inline policies (AWS CLI) You can delete an inline policy from the AWS CLI. **To delete an inline policy (AWS CLI)** 1. (Optional) To list all inline policies that are attached to an identity (user, user group, role), use one of the following commands: + [aws iam list-user-policies](https://docs.aws.amazon.com/cli/latest/reference/iam/list-user-policies.html) + [aws iam list-group-policies](https://docs.aws.amazon.com/cli/latest/reference/iam/list-group-policies.html) + [aws iam list-role-policies](https://docs.aws.amazon.com/cli/latest/reference/iam/list-role-policies.html) 1. (Optional) To retrieve an inline policy document that is embedded in an identity (user, user group, or role), use one of the following commands: + [aws iam get-user-policy](https://docs.aws.amazon.com/cli/latest/reference/iam/get-user-policy.html) + [aws iam get-group-policy](https://docs.aws.amazon.com/cli/latest/reference/iam/get-group-policy.html) + [aws iam get-role-policy](https://docs.aws.amazon.com/cli/latest/reference/iam/get-role-policy.html) 1. To delete an inline policy from an identity (user, user group, or role that is not a *[service-linked role](id_roles.md#iam-term-service-linked-role)*), use one of the following commands: + [aws iam delete-user-policy](https://docs.aws.amazon.com/cli/latest/reference/iam/delete-user-policy.html) + [aws iam delete-group-policy](https://docs.aws.amazon.com/cli/latest/reference/iam/delete-group-policy.html) + [aws iam delete-role-policy](https://docs.aws.amazon.com/cli/latest/reference/iam/delete-role-policy.html) # Delete IAM policies (AWS API) You can use the AWS API to delete *customer managed policies* and *inline policies* in IAM. The number and size of IAM resources in an AWS account are limited. For more information, see [IAM and AWS STS quotas](reference_iam-quotas.md). **Note** Deletion of IAM policies is permanent. After the policy is deleted it cannot be recovered. For more information about IAM policy structure and syntax, see [Policies and permissions in AWS Identity and Access Management](access_policies.md) and the [IAM JSON policy element reference](reference_policies_elements.md). For more information about the difference between managed and inline policies, see [Managed policies and inline policies](access_policies_managed-vs-inline.md). ## Prerequisites Before you delete a policy, you should review its recent service-level activity. This is important because you don't want to remove access from a principal (person or application) who is using it. For more information about viewing last accessed information, see [Refine permissions in AWS using last accessed information](access_policies_last-accessed.md). ## Deleting customer managed policies (AWS API) You can delete a customer managed policy using the AWS API. **To delete a customer managed policy (AWS API)** 1. (Optional) To view information about a policy, call the following operations: + To list managed policies: [ListPolicies](https://docs.aws.amazon.com/IAM/latest/APIReference/API_ListPolicies.html) + To retrieve detailed information about a managed policy: [GetPolicy](https://docs.aws.amazon.com/IAM/latest/APIReference/API_GetPolicy.html) 1. (Optional) To find out about the relationships between the policies and identities, call the following operations: + To list the identities (IAM users, IAM groups, and IAM roles) to which a managed policy is attached, call the following operation: + [ListEntitiesForPolicy](https://docs.aws.amazon.com/IAM/latest/APIReference/API_ListEntitiesForPolicy.html) + To list the managed policies attached to an identity (a user, user group, or role), call one of the following operations: + [ListAttachedUserPolicies](https://docs.aws.amazon.com/IAM/latest/APIReference/API_ListAttachedUserPolicies.html) + [ListAttachedGroupPolicies](https://docs.aws.amazon.com/IAM/latest/APIReference/API_ListAttachedGroupPolicies.html) + [ListAttachedRolePolicies](https://docs.aws.amazon.com/IAM/latest/APIReference/API_ListAttachedRolePolicies.html) 1. To delete a customer managed policy, call the following operation: + [DeletePolicy](https://docs.aws.amazon.com/IAM/latest/APIReference/API_DeletePolicy.html) ## Deleting inline policies (AWS API) You can delete an inline policy using the AWS API. **To delete an inline policy (AWS API)** 1. (Optional) To list all inline policies that are attached to an identity (user, user group, role), call one of the following operations: + [ListUserPolicies](https://docs.aws.amazon.com/IAM/latest/APIReference/API_ListUserPolicies.html) + [ListGroupPolicies](https://docs.aws.amazon.com/IAM/latest/APIReference/API_ListGroupPolicies.html) + [ListRolePolicies](https://docs.aws.amazon.com/IAM/latest/APIReference/API_ListRolePolicies.html) 1. (Optional) To retrieve an inline policy document that is embedded in an identity (user, user group, or role), call one of the following operations: + [GetUserPolicy](https://docs.aws.amazon.com/IAM/latest/APIReference/API_GetUserPolicy.html) + [GetGroupPolicy](https://docs.aws.amazon.com/IAM/latest/APIReference/API_GetGroupPolicy.html) + [GetRolePolicy](https://docs.aws.amazon.com/IAM/latest/APIReference/API_GetRolePolicy.html) 1. To delete an inline policy from an identity (user, user group, or role that is not a *[service-linked role](id_roles.md#iam-term-service-linked-role)*), call one of the following operations: + [DeleteUserPolicy](https://docs.aws.amazon.com/IAM/latest/APIReference/API_DeleteUserPolicy.html) + [DeleteGroupPolicy](https://docs.aws.amazon.com/IAM/latest/APIReference/API_DeleteGroupPolicy.html) + [DeleteRolePolicy](https://docs.aws.amazon.com/IAM/latest/APIReference/API_DeleteRolePolicy.html)