How to attach managed policies to an IAM user

Topic: Accounts access

Attach AWS managed or customer-managed policies to an IAM user via console or CLI, and verify effective permissions. Use this to grant or change permissions without editing inline policies; prefer groups for multiple users with the same role.

Intent: How-to

Quick answer

  • In IAM → Users → user → Permissions, add permissions by attaching managed policies (AWS or customer-managed); avoid inline policies for reusability and audit.
  • Prefer adding the user to a group that has the managed policies attached, so permission changes apply to all users in the role.
  • Use list-attached-user-policies and list-groups-for-user to verify; test with the IAM policy simulator or a minimal CLI call.

Prerequisites

Steps

  1. Choose managed policies for the role

    Identify the AWS managed policy (e.g. AmazonS3ReadOnlyAccess) or customer-managed policy ARN that grants the required actions and resources; prefer least privilege.

  2. Attach policies to the user or their group

    Attach the policy to the user (Add permissions → Attach policies directly) or add the user to a group that already has the policies; confirm no Deny overrides the intended access.

  3. Verify attached policies

    List attached user policies and groups for the user; run a test action (e.g. aws s3 ls) or use the IAM policy simulator to confirm effective permissions.

Summary

You will attach managed policies to an IAM user (directly or via a group) and verify effective permissions. Use this when you need to grant or update permissions for a user without maintaining inline policies; prefer groups when multiple users share the same role.

Prerequisites

Steps

Step 1: Choose managed policies for the role

  • Decide which actions and resources the user needs. Prefer AWS managed policies when they match (e.g. AmazonS3ReadOnlyAccess, AmazonEC2ReadOnlyAccess). For custom scope, create or use a customer-managed policy.
  • Note the policy ARN, e.g. arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess or arn:aws:iam::123456789012:policy/MyCustomPolicy.

Step 2: Attach policies to the user or their group

Console: IAM → Users → select user → PermissionsAdd permissions. Choose Attach policies directly, select the managed policy(ies), then Add permissions. Alternatively, choose Add user to group and select a group that has the right policies.

CLI — attach to user directly:

aws iam attach-user-policy --user-name deploy-prod --policy-arn arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess

CLI — add user to group:

aws iam add-user-to-group --user-name deploy-prod --group-name S3Readers

Ensure no other policy (e.g. an explicit Deny or a permission boundary) overrides the intended access.

Step 3: Verify attached policies

aws iam list-attached-user-policies --user-name deploy-prod
aws iam list-groups-for-user --user-name deploy-prod

For each group, list its attached policies with aws iam list-attached-group-policies --group-name S3Readers. Test with a minimal allowed action (e.g. aws s3 ls) or use IAMPolicy simulator to simulate the desired API call.

Verification

  • list-attached-user-policies and list-groups-for-user show the intended policies.
  • User can perform the allowed actions and is denied for actions not in their policies.
  • No inline policies on the user unless explicitly required; managed policies are used for audit and reuse.

Troubleshooting

Still access denied — Check permission boundaries on the user; check for an explicit Deny in any attached or group policy. Use the policy simulator with the user’s ARN and the failed action.

Too much permission — Prefer a more restrictive managed policy or a custom policy with specific actions and resources; remove broad policies (e.g. AdministratorAccess) unless the role requires it.

Policy limit exceeded — IAM users can have at most 10 managed policies attached directly; use groups to attach more policies or consolidate into fewer custom policies.

Next steps

Continue to