docs.aws.amazon.com
Open in
urlscan Pro
18.66.147.76
Public Scan
Submitted URL: http://www.amazon.com/gp/f.html?C=21IMJA27ETVUX&M=urn:rtn:msg:20231019150131214ec9902be34cfab9b0243a2540p0na&R=1MZ14LY...
Effective URL: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users_change-permissions.html?ref_=pe_1810290_136609980
Submission: On October 19 via api from US — Scanned from DE
Effective URL: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users_change-permissions.html?ref_=pe_1810290_136609980
Submission: On October 19 via api from US — Scanned from DE
Form analysis 0 forms found in the DOM
Text Content
SELECT YOUR COOKIE PREFERENCES
We use essential cookies and similar tools that are necessary to provide our
site and services. We use performance cookies to collect anonymous statistics so
we can understand how customers use our site and make improvements. Essential
cookies cannot be deactivated, but you can click “Customize cookies” to decline
performance cookies.
If you agree, AWS and approved third parties will also use cookies to provide
useful site features, remember your preferences, and display relevant content,
including relevant advertising. To continue without accepting these cookies,
click “Continue without accepting.” To make more detailed choices or learn more,
click “Customize cookies.”
Accept all cookiesContinue without acceptingCustomize cookies
CUSTOMIZE COOKIE PREFERENCES
We use cookies and similar tools (collectively, "cookies") for the following
purposes.
ESSENTIAL
Essential cookies are necessary to provide our site and services and cannot be
deactivated. They are usually set in response to your actions on the site, such
as setting your privacy preferences, signing in, or filling in forms.
PERFORMANCE
Performance cookies provide anonymous statistics about how customers navigate
our site so we can improve site experience and performance. Approved third
parties may perform analytics on our behalf, but they cannot use the data for
their own purposes.
Allow performance category
Allowed
FUNCTIONAL
Functional cookies help us provide useful site features, remember your
preferences, and display relevant content. Approved third parties may set these
cookies to provide certain site features. If you do not allow these cookies,
then some or all of these services may not function properly.
Allow functional category
Allowed
ADVERTISING
Advertising cookies may be set through our site by us or our advertising
partners and help us deliver relevant marketing content. If you do not allow
these cookies, you will experience less relevant advertising.
Allow advertising category
Allowed
Blocking some types of cookies may impact your experience of our sites. You may
review and change your choices at any time by clicking Cookie preferences in the
footer of this site. We and selected third-parties use cookies or similar
technologies as specified in the AWS Cookie Notice.
CancelSave preferences
UNABLE TO SAVE COOKIE PREFERENCES
We will only store essential cookies at this time, because we were unable to
save your cookie preferences.
If you want to change your cookie preferences, try again later using the link in
the AWS console footer, or contact support if the problem persists.
Dismiss
Contact Us
English
Create an AWS Account
1. AWS
2. ...
3. Documentation
4. AWS Identity and Access Management
5. User Guide
Feedback
Preferences
AWS IDENTITY AND ACCESS MANAGEMENT
USER GUIDE
* What is IAM?
* When do I use IAM
* How IAM works
* Users in AWS
* Permissions and policies in IAM
* What is ABAC?
* Security features outside IAM
* Quick links to common tasks
* IAM console search
* Using AWS CloudShell
* Working with AWS SDKs
* Getting set up
* IAM management methods
* Your AWS account ID and its alias
* Getting started
* Security best practices and use cases
* Security best practices
* Root user best practices
* Business use cases
* Tutorials
* Grant access to the billing console
* Delegate access across AWS accounts using roles
* Create a customer managed policy
* Use attribute-based access control (ABAC)
* Use SAML session tags for ABAC
* Permit users to manage their credentials and MFA settings
* Identities
* AWS account root user
* Securing the credentials for the root user
* Enable a virtual MFA device for your AWS account root user (console)
* Enable a hardware TOTP token for the AWS account root user (console)
* Enable a FIDO security key for the AWS account root user (console)
* Change the password
* Resetting a lost or forgotten root user password
* Creating access keys for the root user
* Deleting access keys for the root user
* Tasks that require root user
* Troubleshooting root user issues
* Related information
* Users
* Adding a user
* Controlling user access to the console
* How IAM users sign in to AWS
* Using MFA devices with your IAM sign-in page
* Managing users
* Changing permissions for a user
* Managing passwords
* Setting a password policy
* Managing user passwords
* Permitting IAM users to change their own passwords
* How an IAM user changes their own password
* Access keys
* Retrieving lost passwords or access keys
* Multi-factor authentication (MFA)
* Enabling MFA devices
* General steps for enabling MFA devices
* Enabling a virtual MFA device (console)
* Enabling a FIDO security key (console)
* Supported configurations for using FIDO security keys
* Enabling a hardware TOTP token (console)
* Enabling and managing virtual MFA devices (AWS CLI or AWS API)
* Checking MFA status
* Resynchronizing virtual and hardware MFA devices
* Deactivating MFA devices
* What if an MFA device is lost or stops working?
* Configuring MFA-protected API access
* Sample code: MFA
* Finding unused credentials
* Getting credential reports
* Using IAM with CodeCommit
* Using IAM with Amazon Keyspaces
* Managing server certificates
* User groups
* Creating user groups
* Managing user groups
* Listing IAM user groups
* Adding and removing users in an IAM user group
* Attaching a policy to an IAM user group
* Renaming an IAM user group
* Deleting a user group
* Roles
* Terms and concepts
* Common scenarios
* Providing access across AWS accounts
* Providing access for non AWS workloads
* Providing access to third-party AWS accounts
* Using an external ID for third-party access
* Providing access to AWS services
* The confused deputy problem
* Providing access through identity federation
* Identity providers and federation
* About web identity federation
* Using Amazon Cognito for mobile apps
* Using web identity federation API operations for mobile apps
* Identifying users with web identity federation
* Additional resources for web identity federation
* About SAML 2.0 federation
* Creating IAM identity providers
* Creating OIDC identity providers
* Obtaining the thumbprint for an OIDC Identity Provider
* Creating IAM SAML identity providers
* Configuring relying party trust and claims
* Integrating third-party SAML solution providers with AWS
* Configuring SAML assertions for the authentication response
* Enable SAML 2.0 federated users to access the AWS console
* Enabling custom identity broker access to the AWS console
* Service-linked roles
* Creating roles
* Creating a role for an IAM user
* Creating a role for an AWS service
* Creating a role for identity federation
* Creating a role for web Identity/OIDC federation
* Creating a role for SAML 2.0 federation
* Creating a role using custom trust policies
* Examples of policies for delegating access
* Using roles
* Granting a user permissions to switch roles
* Granting permissions to pass a role to a service
* Switching roles (console)
* Switching roles (AWS CLI)
* Switching roles (Tools for Windows PowerShell)
* Switching roles (AWS API)
* Using roles for applications on Amazon EC2
* Using instance profiles
* Revoking role temporary credentials
* Managing roles
* Modifying a role
* Modifying a role (console)
* Modifying a role (AWS CLI)
* Modifying a role (AWS API)
* Deleting roles or instance profiles
* Tagging IAM resources
* Tagging IAM users
* Tagging IAM roles
* Tagging customer managed policies
* Tagging IAM identity providers
* Tagging OpenID Connect (OIDC) identity providers
* Tagging IAM SAML identity providers
* Tagging instance profiles
* Tagging server certificates
* Tagging virtual MFA devices
* Session tags
* Temporary security credentials
* Requesting temporary security credentials
* Using temporary credentials with AWS resources
* Controlling permissions for temporary security credentials
* Permissions for AssumeRole API operations
* Monitor and control actions taken with assumed roles
* Permissions for GetFederationToken
* Permissions for GetSessionToken
* Disabling permissions
* Granting permissions to create credentials
* Managing AWS STS in an AWS Region
* Using AWS STS interface VPC endpoints
* Using bearer tokens
* Sample applications that use temporary credentials
* Additional resources for temporary credentials
* Log events with CloudTrail
* Access management
* Policies and permissions
* Managed policies and inline policies
* Choosing managed or inline
* Getting started with managed policies
* Converting inline policy to managed
* Deprecated AWS managed policies
* Permissions boundaries
* Identity vs resource
* Controlling access using policies
* Control access to IAM users and roles using tags
* Control access to AWS resources using tags
* Cross account resource access
* Example policies
* AWS: Specific access during a date range
* AWS: Enable or disable AWS Regions
* AWS: Self-manage credentials with MFA (My security credentials)
* AWS: Specific access with MFA during a date range
* AWS: Self-manage credentials no MFA (My security credentials)
* AWS: Self-manage MFA device (My security credentials)
* AWS: Self-manage console password (My security credentials)
* AWS: Self-manage password, access keys, & SSH public keys (My
security credentials)
* AWS: Deny access based on requested Region
* AWS: Deny access based on source IP
* AWS: Deny access to Amazon S3 resources outside your account except
AWS Data Exchange
* Data Pipeline: Deny access to pipelines not created by user
* DynamoDB: Access specific table
* DynamoDB: Allow access to specific attributes
* DynamoDB: Allow item access based on a Amazon Cognito ID
* EC2: Attach or detach tagged EBS volumes
* EC2: Launch instances in a subnet (includes console)
* EC2: Manage security groups with the same tags (includes console)
* EC2: Start or stop instances a user has tagged (includes console)
* EC2: Start or stop instances based on tags
* EC2: Start or stop for matching tags
* EC2: Full access within a Region (includes console)
* EC2: Start or stop an instance, modify security group (includes
console)
* EC2: Requires MFA (GetSessionToken) for operations
* EC2: Limit terminating instances to IP range
* IAM: Access the policy simulator API
* IAM: Access the policy simulator console
* IAM: Assume tagged roles
* IAM: Allows and denies multiple services (includes console)
* IAM: Add specific tag to tagged user
* IAM: Add a specific tag
* IAM: Create only tagged users
* IAM: Generate credential reports
* IAM: Manage group membership (includes console)
* IAM: Manage a tag
* IAM: Pass a role to a service
* IAM: Read-only console access (no reporting)
* IAM: Read-only console access
* IAM: Specific users manage group (includes console)
* IAM: Setting account password requirements (includes console)
* IAM: Access the policy simulator API based on user path
* IAM: Access the policy simulator console based on user path
(includes console)
* IAM: MFA self-management
* IAM: Update credentials (includes console)
* IAM: View Organizations service last accessed information for a
policy
* IAM: Apply limited managed policies
* AWS: Deny access to resources outside your account except AWS
managed IAM policies
* Lambda: Service access to DynamoDB
* RDS: Full access within a Region
* RDS: Restore databases (includes console)
* RDS: Full access for tag owners
* S3: Access bucket if cognito
* S3: Access federated user home directory (includes console)
* S3: Full access with recent MFA
* S3: Access IAM user home directory (includes console)
* S3: Restrict management to a specific bucket
* S3: Read and write objects to a specific bucket
* S3: Read and write to a specific bucket (includes console)
* Managing IAM policies
* Creating IAM policies
* Creating IAM policies (console)
* Creating IAM policies (CLI)
* Creating IAM policies (API)
* Validating policies
* Generating policies
* Testing IAM policies
* Add or remove identity permissions
* Versioning IAM policies
* Editing IAM policies
* Deleting IAM policies
* Refining permissions using access information
* View IAM access information
* View access information for Organizations
* Example scenarios
* Action last accessed services and actions
* Understanding policies
* Policy summary (list of services)
* Access levels in policy summaries
* Service summary (list of actions)
* Action summary (list of resources)
* Example policy summaries
* Permissions required
* Example policies for IAM
* Code examples
* IAM examples
* Actions
* Add a user to a group
* Attach a policy to a role
* Attach a policy to a user
* Attach an inline policy to a role
* Create a SAML provider
* Create a group
* Create a policy
* Create a policy version
* Create a role
* Create a service-linked role
* Create a user
* Create an access key
* Create an alias for an account
* Create an inline policy for a group
* Create an inline policy for a user
* Create an instance profile
* Delete SAML provider
* Delete a group
* Delete a group policy
* Delete a policy
* Delete a role
* Delete a role policy
* Delete a server certificate
* Delete a service-linked role
* Delete a user
* Delete an access key
* Delete an account alias
* Delete an inline policy from a user
* Delete an instance profile
* Detach a policy from a role
* Detach a policy from a user
* Generate a credential report
* Get a credential report
* Get a detailed authorization report for your account
* Get a policy
* Get a policy version
* Get a role
* Get a server certificate
* Get a service-linked role's deletion status
* Get a summary of account usage
* Get a user
* Get data about the last use of an access key
* Get the account password policy
* List SAML providers
* List a user's access keys
* List account aliases
* List groups
* List inline policies for a role
* List inline policies for a user
* List policies
* List policies attached to a role
* List roles
* List server certificates
* List users
* Remove a user from a group
* Update a server certificate
* Update a user
* Update an access key
* Upload a server certificate
* Scenarios
* Build and manage a resilient service
* Create a group and add a user
* Create a user and assume a role
* Create read-only and read-write users
* Manage access keys
* Manage policies
* Manage roles
* Manage your account
* Roll back a policy version
* Work with the IAM Policy Builder API
* AWS STS examples
* Actions
* Assume a role
* Get a session token
* Scenarios
* Assume an IAM role that requires an MFA token
* Construct a URL for federated users
* Get a session token that requires an MFA token
* Security
* AWS security credentials
* AWS security audit guidelines
* Data protection
* Logging and monitoring
* Compliance validation
* Resilience
* Infrastructure security
* Configuration and vulnerability analysis
* AWS managed policies
* IAM Access Analyzer
* Findings for public and cross-account access
* How IAM Access Analyzer findings work
* Getting started with IAM Access Analyzer findings
* Working with findings
* Reviewing findings
* Filtering findings
* Archiving findings
* Resolving findings
* Supported resource types
* Settings
* Archive rules
* Monitoring with EventBridge
* Security Hub integration
* Logging with CloudTrail
* IAM Access Analyzer filter keys
* Using service-linked roles
* Preview access
* Previewing access in Amazon S3 console
* Previewing access with IAM Access Analyzer APIs
* IAM Access Analyzer policy validation
* Policy check reference
* IAM Access Analyzer policy generation
* IAM Access Analyzer policy generation services
* IAM Access Analyzer quotas
* Troubleshooting IAM
* General issues
* Access denied error messages
* IAM policies
* FIDO security keys
* IAM roles
* IAM and Amazon EC2
* IAM and Amazon S3
* SAML 2.0 federation
* Viewing a SAML response in your browser
* Reference
* Amazon Resource Names (ARNs)
* IAM identifiers
* IAM and AWS STS quotas
* Services that work with IAM
* Signing AWS API requests
* Signature Version 4 request elements
* Authentication methods
* Create a signed request
* Request signature examples
* Troubleshoot
* Policy reference
* JSON element reference
* Version
* Id
* Statement
* Sid
* Effect
* Principal
* NotPrincipal
* Action
* NotAction
* Resource
* NotResource
* Condition
* Condition operators
* Conditions with multiple context keys or values
* Single-valued vs. multivalued context keys
* Condition policy examples
* Multivalued context key examples
* Single-valued context key policy examples
* Variables and tags
* Supported data types
* Policy evaluation logic
* Cross-account policy evaluation logic
* Policy grammar
* AWS managed policies for job functions
* Creating roles and attaching policies (console)
* Global condition keys
* IAM condition keys
* Actions, resources, and condition keys
* Resources
* Making HTTP query requests
* Document history
Changing permissions for an IAM user - AWS Identity and Access Management
AWSDocumentationAWS Identity and Access ManagementUser Guide
View user accessGenerate a policy based on a user's access activityAdding
permissions to a user (console)Changing permissions for a user (console)Removing
a permissions policy from a user (console)Removing the permissions boundary from
a user (console)Adding and removing a user's permissions (AWS CLI or AWS API)
CHANGING PERMISSIONS FOR AN IAM USER
PDFRSS
You can change the permissions for an IAM user in your AWS account by changing
its group memberships, by copying permissions from an existing user, by
attaching policies directly to a user, or by setting a permissions boundary. A
permissions boundary controls the maximum permissions that a user can have.
Permissions boundaries are an advanced AWS feature.
For information about the permissions that you need in order to modify the
permissions for a user, see Permissions required to access IAM resources.
TOPICS
* View user access
* Generate a policy based on a user's access activity
* Adding permissions to a user (console)
* Changing permissions for a user (console)
* Removing a permissions policy from a user (console)
* Removing the permissions boundary from a user (console)
* Adding and removing a user's permissions (AWS CLI or AWS API)
VIEW USER ACCESS
Before you change the permissions for a user, you should review its recent
service-level activity. This is important because you don't want to remove
access from a principal (person or application) who is using it. For more
information about viewing last accessed information, see Refining permissions in
AWS using last accessed information.
GENERATE A POLICY BASED ON A USER'S ACCESS ACTIVITY
You might sometimes grant permissions to an IAM entity (user or role) beyond
what they require. To help you refine the permissions that you grant, you can
generate an IAM policy that is based on the access activity for an entity. IAM
Access Analyzer reviews your AWS CloudTrail logs and generates a policy template
that contains the permissions that have been used by the entity in your
specified date range. You can use the template to create a managed policy with
fine-grained permissions and then attach it to the IAM entity. That way, you
grant only the permissions that the user or role needs to interact with AWS
resources for your specific use case. To learn more, see Generate policies based
on access activity.
ADDING PERMISSIONS TO A USER (CONSOLE)
IAM offers three ways to add permissions policies to a user:
* Add user to group – Make the user a member of a group. The policies from the
group are attached to the user.
* Copy permissions from existing user – Copy all group memberships, attached
managed policies, inline policies, and any existing permissions boundaries
from the source user.
* Attach policies directly to user – Attach a managed policy directly to the
user. For easier permissions management, attach your policies to a group and
then make users members of the appropriate groups.
IMPORTANT
If the user has a permissions boundary, then you cannot add more permissions to
a user than are allowed by the permissions boundary.
ADDING PERMISSIONS BY ADDING THE USER TO A GROUP
Adding a user to a group affects the user immediately.
TO ADD PERMISSIONS TO A USER BY ADDING THE USER TO A GROUP
1. Sign in to the AWS Management Console and open the IAM console at
https://console.aws.amazon.com/iam/.
2. In the navigation pane, choose Users.
3. Review the current group memberships for users in the Groups column of the
console. If necessary, add the column to the users table by completing the
following steps:
1. Above the table on the far right, choose the settings symbol ( ).
2. In the Manage Columns dialog box, select the Groups column. Optionally,
you can also clear the check box for any column headings that you do not
want to appear in the users table.
3. Choose Close to return to the list of users.
The Groups column tells you to which groups the user belongs. The column
includes the group names for up to two groups. If the user is a member of
three or more groups, the first two groups are shown (ordered
alphabetically), and the number of additional group memberships is included.
For example, if the user belongs to Group A, Group B, Group C, and Group D,
then the field contains the value Group A, Group B + 2 more. To see the
total number of groups to which the user belongs, you can add the Group
count column to the users table.
4. Choose the name of the user whose permissions you want to modify.
5. Choose the Permissions tab, and then choose Add permissions. Choose Add user
to group.
6. Select the check box for each group that you want the user to join. The list
shows each group's name and the policies that the user receives if made a
member of that group.
7. (Optional) In addition to selecting from existing groups, you can choose
Create group to define a new group:
1. In the new tab, for User group name, type a name for your new group.
NOTE
The number and size of IAM resources in an AWS account are limited. For
more information, see IAM and AWS STS quotas. Group names can be a
combination of up to 128 letters, digits, and these characters: plus (+),
equal (=), comma (,), period (.), at sign (@), and hyphen (-). Names must
be unique within an account. They are not distinguished by case. For
example, you cannot create two groups named TESTGROUP and testgroup.
2. Select one or more check boxes for the managed policies that you want to
attach to the group. You can also create a new managed policy by choosing
Create policy. If you do, return to this browser tab or window when the
new policy is done; choose Refresh; and then choose the new policy to
attach it to your group. For more information, see Creating IAM policies.
3. Choose Create user group.
4. Return to the original tab, refresh your list of groups. Then select the
check box for your new group.
8. Choose Next to see the list of group memberships to be added to the user.
Then choose Add permissions.
ADDING PERMISSIONS BY COPYING FROM ANOTHER USER
Copying permissions affects the user immediately.
TO ADD PERMISSIONS TO A USER BY COPYING PERMISSIONS FROM ANOTHER USER
1. Sign in to the AWS Management Console and open the IAM console at
https://console.aws.amazon.com/iam/.
2. Choose Users in the navigation pane, choose the name of the user whose
permissions you want to modify, and then choose the Permissions tab.
3. Choose Add permissions, and then choose Copy permissions from existing user.
The list displays available users along with their group memberships and
attached policies. If the full list of groups or policies doesn't fit on one
line, you can choose the link for and n more. Doing that opens a new browser
tab and see the full list of policies (Permissions tab) and groups (Groups
tab).
4. Select the radio button next to the user whose permissions you want to copy.
5. Choose Next to see the list of changes that are to be made to the user. Then
choose Add permissions.
ADDING PERMISSIONS BY ATTACHING POLICIES DIRECTLY TO THE USER
Attaching policies affects the user immediately.
TO ADD PERMISSIONS TO A USER BY DIRECTLY ATTACHING MANAGED POLICIES
1. Sign in to the AWS Management Console and open the IAM console at
https://console.aws.amazon.com/iam/.
2. Choose Users in the navigation pane, choose the name of the user whose
permissions you want to modify, and then choose the Permissions tab.
3. Choose Add permissions, and then choose Attach policies directly.
4. Select one or more check boxes for the managed policies that you want to
attach to the user. You can also create a new managed policy by choosing
Create policy. If you do, return to this browser tab or window when the new
policy is done. Choose Refresh; and then select the check box for the new
policy to attach it to your user. For more information, see Creating IAM
policies.
5. Choose Next to see the list of policies that are to be attached to the user.
Then choose Add permissions.
SETTING THE PERMISSIONS BOUNDARY FOR A USER
Setting a permissions boundary affects the user immediately.
TO SET THE PERMISSIONS BOUNDARY FOR A USER
1. Sign in to the AWS Management Console and open the IAM console at
https://console.aws.amazon.com/iam/.
2. In the navigation pane, choose Users.
3. Choose the name of the user whose permissions boundary you want to change.
4. Choose the Permissions tab. If necessary, open the Permissions boundary
section and then choose Set permissions boundary.
5. Select the policy that you want to use for the permissions boundary.
6. Choose Set boundary.
CHANGING PERMISSIONS FOR A USER (CONSOLE)
IAM allows you to change the permissions that are associated with a user in the
following ways:
* Edit a permissions policy – Edit a user's inline policy, the inline policy of
the user's group, or edit a managed policy that is attached to the user
directly or from a group. If the user has a permissions boundary, then you
cannot provide more permissions than are allowed by the policy that was used
as the user's permissions boundary.
* Changing the permissions boundary – Change the policy that is used as the
permissions boundary for the user. This can expand or restrict the maximum
permissions that a user can have.
EDITING A PERMISSIONS POLICY ATTACHED TO A USER
Changing permissions affects the user immediately.
TO EDIT A USER'S ATTACHED MANAGED POLICIES
1. Sign in to the AWS Management Console and open the IAM console at
https://console.aws.amazon.com/iam/.
2. In the navigation pane, choose Users.
3. Choose the name of the user whose permissions policy you want to change.
4. Choose the Permissions tab. If necessary, open the Permissions policies
section.
5. Choose the name of the policy that you want to edit to view details about
the policy. Choose the Policy usage tab to view other entities that might be
affected if you edit the policy.
6. Choose the Permissions tab and review the permissions granted by the policy.
Then choose Edit policy.
7. Edit the policy and resolve any policy validation recommendations. For more
information, see Editing IAM policies.
8. Choose Review policy, review the policy summary, and then choose Save
changes.
CHANGING THE PERMISSIONS BOUNDARY FOR A USER
Changing a permissions boundary affects the user immediately.
TO CHANGE THE POLICY USED TO SET THE PERMISSIONS BOUNDARY FOR A USER
1. Sign in to the AWS Management Console and open the IAM console at
https://console.aws.amazon.com/iam/.
2. In the navigation pane, choose Users.
3. Choose the name of the user whose permissions boundary you want to change.
4. Choose the Permissions tab. If necessary, open the Permissions boundary
section and then choose Change boundary.
5. Select the policy that you want to use for the permissions boundary.
6. Choose Set boundary.
REMOVING A PERMISSIONS POLICY FROM A USER (CONSOLE)
Removing a policy affects the user immediately.
TO REMOVE PERMISSIONS FOR IAM USERS
1. Sign in to the AWS Management Console and open the IAM console at
https://console.aws.amazon.com/iam/.
2. In the navigation pane, choose Users.
3. Choose the name of the user whose permissions boundary you want to remove.
4. Choose the Permissions tab.
5. If you want to remove permissions by removing an existing policy, view the
Type to understand how the user is getting that policy before choosing
Remove to remove the policy:
* If the policy applies because of group membership, then choosing Remove
removes the user from the group. Remember that you might have multiple
policies attached to a single group. If you remove a user from a group,
the user loses access to all policies that it received through that group
membership.
* If the policy is a managed policy attached directly to the user, then
choosing Remove detaches the policy from the user. This does not affect
the policy itself or any other entity that the policy might be attached
to.
* If the policy is an inline embedded policy, then choosing X removes the
policy from IAM. Inline policies that are attached directly to a user
exist only on that user.
REMOVING THE PERMISSIONS BOUNDARY FROM A USER (CONSOLE)
Removing a permissions boundary affects the user immediately.
TO REMOVE THE PERMISSIONS BOUNDARY FROM A USER
1. Sign in to the AWS Management Console and open the IAM console at
https://console.aws.amazon.com/iam/.
2. In the navigation pane, choose Users.
3. Choose the name of the user whose permissions boundary you want to remove.
4. Choose the Permissions tab. If necessary, open the Permissions boundary
section and then choose Remove boundary.
5. Choose Remove boundary to confirm that you want to remove the permissions
boundary.
ADDING AND REMOVING A USER'S PERMISSIONS (AWS CLI OR AWS API)
To add or remove permissions programmatically, you must add or remove the group
memberships, attach or detach the managed policies, or add or delete the inline
policies. For more information, see the following topics:
* Adding and removing users in an IAM user group
* Adding and removing IAM identity permissions
Javascript is disabled or is unavailable in your browser.
To use the Amazon Web Services Documentation, Javascript must be enabled. Please
refer to your browser's Help pages for instructions.
Document Conventions
Managing users
Managing passwords
Did this page help you? - Yes
Thanks for letting us know we're doing a good job!
If you've got a moment, please tell us what we did right so we can do more of
it.
Did this page help you? - No
Thanks for letting us know this page needs work. We're sorry we let you down.
If you've got a moment, please tell us how we can make the documentation better.
DID THIS PAGE HELP YOU?
Yes
No
Provide feedback
NEXT TOPIC:
Managing passwords
PREVIOUS TOPIC:
Managing users
NEED HELP?
* Try AWS re:Post
* Connect with an AWS IQ expert
PrivacySite termsCookie preferences
© 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved.
ON THIS PAGE
* View user access
* Generate a policy based on a user's access activity
* Adding permissions to a user (console)
* Changing permissions for a user (console)
* Removing a permissions policy from a user (console)
* Removing the permissions boundary from a user (console)
* Adding and removing a user's permissions (AWS CLI or AWS API)
DID THIS PAGE HELP YOU? - NO
Thanks for letting us know this page needs work. We're sorry we let you down.
If you've got a moment, please tell us how we can make the documentation better.
Feedback