How to Include Inline Policies in AWS with EC2

By John Paul Mueller

In general, you want to avoid using inline policies in AWS (Amazon Web Services) when configuring Elastic Compute Cloud (EC2) because they’re hard to manage and you must go to the individual entities, such as groups, to make any required changes. In addition, the inline policies have a tendency to hide, making troubleshooting problems with your setup just that much harder.

However, you may encounter situations in which an inline policy offers the only way to set security properly. The following steps help you create inline policies as needed. (This procedure uses an example group named EC2Users, but it works with any entity that supports inline policies.)

  1. Select the Groups, Users, or Roles entry in the Navigation pane.
  2. Open the entity you want to work with by clicking its entry in the Object Type page.
  3. Select the Permissions tab of the entity’s Summary page.
    You see areas for both managed policies and inline polices, as shown.

    aws-edit-permissions
    The Permissions tab of the Summary page contains the entity’s policies.
  4. Click Inline Policies.

    If this is your first inline policy, you see a message saying “There are no inline policies to show. To create one, click here.”

  5. Click the Click Here button.
    You see a Set Permissions page containing two options:

    • Policy Generator: Displays a wizard that lets you easily create a policy for use with your entity. Among the methods for creating an inline policy, this is the easiest.
    • Custom Policy: Displays an editor in which you manually type a policy using the appropriate syntax and grammar. This is the more flexible of the two options for creating an inline policy.
  6. Select a permission generation option and then click the Select button next to that entry.
    The example assumes that you want to use the Policy Generator option. You see the Edit Permissions page, shown here. This interface enables you to allow or deny actions against a specific AWS service and, optionally, a specific resource associated with that service.

    aws-edit-permissions
    The Edit Permissions page provides access to the permission options.
  7. Configure the permission using the various permission entries and then click Add Statement to add the statement to the policy.
  8. Click Next Step.
    You see the Review Policy page. Because you define the policy using a series of individual permissions, you probably don’t need to edit the policy.
  9. Click Validate Policy.
    If the changes you made work as intended, you see a This Policy Is Valid success message at the top of the page. Always validate your policy before you create it.
  10. Click Apply Policy.
    You see the policy added to the Inline Policies area of the Permissions tab of the entity’s Summary page. In addition, the Inline Policies area now includes a button to create more policies, such as the Create Group Policy entry for groups.

To interact with an existing inline policy, use the links in the Actions column of the policy list. Here’s an overview of the actions you can perform on an inline policy:

  • Show Policy: Displays the code used to create the policy.
  • Edit Policy: Lets you edit the code used to create a policy using the Review Policy page.
  • Remove Policy: Deletes the inline policy so that it no longer affects the entity. The deletion is final, so you must make that sure you actually want to delete the policy.
  • Simulate Policy: Demonstrates the effect of the policy on the entity. You can set up various configurations and testing criteria so that you know that the inline policy works as expected.