> ## Documentation Index
> Fetch the complete documentation index at: https://notes.kodekloud.com/llms.txt
> Use this file to discover all available pages before exploring further.
# Demo Inline Policy
> This article explains how to create an inline IAM policy for time-limited S3 uploads by a specific user.
In this walkthrough, we’ll attach an inline IAM policy to our DevOps engineer, **Alice**, allowing her to upload objects to the `my-deployment-bucket` S3 bucket only until **December 31, 2023**. Inline policies are embedded directly on a single IAM identity—ideal for granting one-off or time-limited permissions.
Inline policies are specific to the IAM user, group, or role they’re attached to and cannot be reused by other identities. For reusable permissions, consider using [managed policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html).
## Policy Structure
Below is an overview of the key elements in our inline policy:
| Field | Description | Example |
| --------- | ------------------------------------------------------------------ | ------------------------------------- |
| Version | Specifies the policy language version. | `2012-10-17` |
| Statement | Container for one or more individual permission statements. | See breakdown below |
| Effect | Whether the statement allows or denies access. | `Allow` |
| Action | The specific API call(s) permitted. | `s3:PutObject` |
| Resource | The ARN of the S3 bucket (and objects) to which it applies. | `arn:aws:s3:::my-deployment-bucket/*` |
| Condition | Optional restrictions (e.g., time, IP) on when the action applies. | `DateLessThan` with `aws:CurrentTime` |
### Statement Breakdown
* **Effect**: `Allow`
* **Action**: `s3:PutObject`
* **Resource**: All objects in **my-deployment-bucket**
* **Condition**: Only if the request timestamp is before **2023-12-31T23:59:59Z**
## Steps to Create the Inline Policy
1. Open the **IAM console** and select the user **Alice**.
2. Go to the **Permissions** tab, then click **Add permissions** → **Create inline policy**.
3. Switch to the **JSON** editor and paste the following policy:
```json theme={null}
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::my-deployment-bucket/*",
"Condition": {
"DateLessThan": {
"aws:CurrentTime": "2023-12-31T23:59:59Z"
}
}
}
]
}
```
4. Provide a name for the policy (e.g., **Alice-S3-Access-Inline-Policy**) and click **Create policy**.
5. Back under Alice’s **Permissions** tab, verify the new inline policy appears in the list.
After December 31, 2023 at 23:59:59 UTC, Alice’s upload requests will be denied. Monitor or update the policy before it expires if continued access is needed.
## Verification
1. Use the AWS CLI or console to attempt an S3 upload as Alice:
```bash theme={null}
aws s3 cp ./local-file.txt s3://my-deployment-bucket/ --profile alice
```
2. Before the expiration date, the upload should succeed. Afterward, you’ll receive an `AccessDenied` error.
## Links and References
* [AWS IAM Inline Policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html)
* [Amazon S3 PutObject API](https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutObject.html)
* [AWS IAM Best Practices](https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html)