Skip to content
Alchemy
GitHubXDiscord

ManagedPolicy

The ManagedPolicy resource lets you manage AWS IAM ManagedPolicys which are used to define permissions for AWS resources.

Minimal Example

Section titled “Minimal Example”

Create a basic IAM ManagedPolicy with required properties and a description:

import AWS from "alchemy/aws/control";


const basicPolicy = await AWS.IAM.ManagedPolicy("basicPolicy", {
  ManagedPolicyName: "BasicS3Access",
  Description: "Allows read and write access to S3 buckets",
  PolicyDocument: {
    Version: "2012-10-17",
    Statement: [
      {
        Effect: "Allow",
        Action: [
          "s3:ListBucket",
          "s3:GetObject",
          "s3:PutObject"
        ],
        Resource: [
          "arn:aws:s3:::my-bucket",
          "arn:aws:s3:::my-bucket/*"
        ]
      }
    ]
  }
});

Advanced Configuration

Section titled “Advanced Configuration”

Configure an IAM ManagedPolicy with specific groups, roles, and an optional path:

const advancedPolicy = await AWS.IAM.ManagedPolicy("advancedPolicy", {
  ManagedPolicyName: "AdvancedEC2Access",
  Path: "/admin/",
  Description: "Grants permissions to manage EC2 instances",
  Groups: ["AdminGroup"],
  Roles: ["EC2AdminRole"],
  PolicyDocument: {
    Version: "2012-10-17",
    Statement: [
      {
        Effect: "Allow",
        Action: [
          "ec2:RunInstances",
          "ec2:TerminateInstances",
          "ec2:DescribeInstances"
        ],
        Resource: "*"
      }
    ]
  }
});

Attaching to Users

Section titled “Attaching to Users”

Demonstrate how to attach the ManagedPolicy to specific users:

const userPolicy = await AWS.IAM.ManagedPolicy("userPolicy", {
  ManagedPolicyName: "UserS3Access",
  Description: "Allows users to access specified S3 buckets",
  PolicyDocument: {
    Version: "2012-10-17",
    Statement: [
      {
        Effect: "Allow",
        Action: "s3:*",
        Resource: [
          "arn:aws:s3:::user-bucket",
          "arn:aws:s3:::user-bucket/*"
        ]
      }
    ]
  },
  Users: ["UserA", "UserB"]
});

Policy with Conditions

Section titled “Policy with Conditions”

Create a ManagedPolicy that includes conditions for access control:

const conditionalPolicy = await AWS.IAM.ManagedPolicy("conditionalPolicy", {
  ManagedPolicyName: "ConditionalS3Access",
  Description: "Grants access to S3 buckets only if conditions are met",
  PolicyDocument: {
    Version: "2012-10-17",
    Statement: [
      {
        Effect: "Allow",
        Action: "s3:GetObject",
        Resource: "arn:aws:s3:::condition-bucket/*",
        Condition: {
          StringEquals: {
            "s3:prefix": "docs/"
          }
        }
      }
    ]
  }
});