AWS - IAM
IAM Policies Federation STS and MFA
Demo Inline Policy
In this walkthrough, we’ll attach an inline IAM policy to our DevOps engineer, Alice, allowing her to upload objects to the my-deployment-bucket
S3 bucket only until December 31, 2023. Inline policies are embedded directly on a single IAM identity—ideal for granting one-off or time-limited permissions.
Note
Inline policies are specific to the IAM user, group, or role they’re attached to and cannot be reused by other identities. For reusable permissions, consider using managed policies.
Policy Structure
Below is an overview of the key elements in our inline policy:
Field | Description | Example |
---|---|---|
Version | Specifies the policy language version. | 2012-10-17 |
Statement | Container for one or more individual permission statements. | See breakdown below |
Effect | Whether the statement allows or denies access. | Allow |
Action | The specific API call(s) permitted. | s3:PutObject |
Resource | The ARN of the S3 bucket (and objects) to which it applies. | arn:aws:s3:::my-deployment-bucket/* |
Condition | Optional restrictions (e.g., time, IP) on when the action applies. | DateLessThan with aws:CurrentTime |
Statement Breakdown
- Effect:
Allow
- Action:
s3:PutObject
- Resource: All objects in my-deployment-bucket
- Condition: Only if the request timestamp is before 2023-12-31T23:59:59Z
Steps to Create the Inline Policy
Open the IAM console and select the user Alice.
Go to the Permissions tab, then click Add permissions → Create inline policy.
Switch to the JSON editor and paste the following policy:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "s3:PutObject", "Resource": "arn:aws:s3:::my-deployment-bucket/*", "Condition": { "DateLessThan": { "aws:CurrentTime": "2023-12-31T23:59:59Z" } } } ] }
Provide a name for the policy (e.g., Alice-S3-Access-Inline-Policy) and click Create policy.
Back under Alice’s Permissions tab, verify the new inline policy appears in the list.
Warning
After December 31, 2023 at 23:59:59 UTC, Alice’s upload requests will be denied. Monitor or update the policy before it expires if continued access is needed.
Verification
- Use the AWS CLI or console to attempt an S3 upload as Alice:
aws s3 cp ./local-file.txt s3://my-deployment-bucket/ --profile alice
- Before the expiration date, the upload should succeed. Afterward, you’ll receive an
AccessDenied
error.
Links and References
Watch Video
Watch video content