AWS IAM policy examples

Use these complete IAM policy templates for common workflow types. Each follows the principle of least privilege by restricting access to specific resources.

SQS messaging workflow

Restrict access to a specific queue:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "sqs:SendMessage",
      "Resource": "arn:aws:sqs:us-west-2:123456789012:my-workflow-queue"
    },
    {
      "Effect": "Allow",
      "Action": "sqs:GetQueueAttributes",
      "Resource": "arn:aws:sqs:us-west-2:123456789012:my-workflow-queue"
    }
  ]
}

Replace us-west-2 with your region, 123456789012 with your AWS account ID, and my-workflow-queue with your queue name.

EC2 management workflow

Restrict access to specific instances by tag:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": ["ec2:DescribeInstances", "ec2:DescribeTags"],
      "Resource": "*"
    },
    {
      "Effect": "Allow",
      "Action": [
        "ec2:StopInstances",
        "ec2:StartInstances",
        "ec2:ModifyInstanceAttribute"
      ],
      "Resource": "arn:aws:ec2:us-east-1:123456789012:instance/*",
      "Condition": {
        "StringEquals": {
          "aws:ResourceTag/Environment": "production"
        }
      }
    }
  ]
}

This policy allows workflows to stop/start/modify only EC2 instances tagged with Environment=production.

DynamoDB workflow

Restrict access to a specific table:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": ["dynamodb:Query", "dynamodb:GetItem", "dynamodb:PutItem"],
      "Resource": "arn:aws:dynamodb:us-east-1:123456789012:table/WorkflowData"
    }
  ]
}

Replace WorkflowData with your table name.

Systems Manager workflow

Restrict access to specific automation documents:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": ["ssm:CreateDocument", "ssm:DeleteDocument"],
      "Resource": "arn:aws:ssm:us-east-1:123456789012:document/WorkflowAutomation-*"
    },
    {
      "Effect": "Allow",
      "Action": ["ssm:StartAutomationExecution", "ssm:GetAutomationExecution"],
      "Resource": [
        "arn:aws:ssm:us-east-1:123456789012:automation-definition/WorkflowAutomation-*:*",
        "arn:aws:ssm:us-east-1:123456789012:automation-execution/*"
      ]
    }
  ]
}

This restricts automation documents to those prefixed with WorkflowAutomation-.

API Gateway workflow

Restrict access to a specific API:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": ["apigateway:GET", "apigateway:PUT"],
      "Resource": "arn:aws:apigateway:us-west-2::/restapis/abc123xyz/*"
    }
  ]
}

Replace abc123xyz with your API Gateway ID.

Additional resources

For comprehensive AWS permission references:

AWS integrations managed policies: Complete list of AWS permissions by service, plus CloudFormation templates you can adapt
Set up AWS API polling: Additional setup patterns

Important

Those resources use account ID 754728514883 for cloud integrations (monitoring). For workflow automation, always use 253490767857.

AWS credentials overview

Compare authentication methods and choose the right one

IAM role setup

Configure IAM role for production workflows (recommended)

IAM user setup

Set up IAM user with access keys for testing

AWS actions

Browse EC2, Lambda, S3, SQS, and other AWS actions

SQS messaging workflow .css-21sua1{background:none;border:none;width:0;padding:0;}