Inline Policy Generator for AWS IAM

Build an inline policy the way you'd edit one in the AWS console: a live JSON pane alongside a statement editor, with support for multiple statements in a single policy. Type in the JSON directly or use the panel to add actions by service — the two stay in sync. For background on how policies work, see the AWS IAM policy documentation.

Inline Policy Editor
Policy has valid syntax and structure

Edit statement — Statement1

*

Infrastructure as Code

Attach this as an inline policy on an existing role, user, or group

inline_policy.tfhcl
# Terraform configuration for an AWS IAM inline policy
# Generated by AWS Policy Generator
# Apply with: terraform init && terraform apply
# Assumes the role "MyRole" already exists.

terraform {
  required_providers {
    aws = {
      source  = "hashicorp/aws"
      version = "~> 5.0"
    }
  }
}

provider "aws" {
  region = var.aws_region
}

variable "aws_region" {
  type        = string
  description = "AWS region to deploy into"
  default     = "us-east-1"
}

resource "aws_iam_role_policy" "myinlinepolicy" {
  name   = "MyInlinePolicy"
  role   = "MyRole"

  policy = jsonencode({
    "Version": "2012-10-17",
    "Statement": [
      {
        "Sid": "Statement1",
        "Effect": "Allow",
        "Action": [],
        "Resource": [
          "*"
        ]
      }
    ]
  })
}

What is an inline policy?

An inline policy is a permissions policy that's embedded directly in a single IAM user, group, or role — or, in IAM Identity Center, directly in a permission set — rather than existing as a standalone, reusable policy object. It has a strict one-to-one relationship with the identity it's attached to: delete the user, group, role, or permission set, and the inline policy goes with it.

That's the key difference from the other two ways to grant permissions in AWS. An AWS managed policy is a ready-made policy that AWS creates and maintains for common use cases and job functions — you attach it, but you don't edit it. A customer managed policy is a standalone policy you create and maintain yourself, which can be attached to many identities at once and reused across your account. An inline policy sits apart from both: it's fully custom like a customer managed policy, but it isn't a separate, reusable object — it lives and dies with the one identity (or permission set) it's defined on.

In IAM Identity Center specifically, inline policies attached to a permission set are the recommended default for fine-grained, custom permissions. Because a permission set can be provisioned into many AWS accounts, its inline policy is deployed identically into every one of those accounts, and only Identity Center administrators can change it. Before rolling out changes, it's worth testing the policy's effect with the IAM policy simulator.

This tool builds the same JSON document either way — as a standalone inline policy on an IAM user, group, or role, or as the inline policy attached to a permission set. Build it here, then paste the JSON into the identity or permission set where it belongs.

Frequently Asked Questions

What's the difference between an inline policy and a managed policy?

A managed policy (AWS managed or customer managed) is a standalone object that can be attached to multiple identities and reused. An inline policy is embedded directly in one identity or permission set, isn't reusable elsewhere, and is deleted automatically if that identity is deleted.

Can I attach an inline policy to an IAM Identity Center permission set?

Yes. When you assign a permission set with an inline policy, IAM Identity Center creates the matching IAM policy in each AWS account where the permission set is provisioned, and attaches it to the role that users assume — you don't create anything manually in those accounts.

Can an inline policy have more than one statement?

Yes — a single policy document can contain many statements, each with its own Sid, Effect, actions, resources, and conditions. This generator supports multiple statements directly, so you can combine permissions for several services in one inline policy.

Is this inline policy generator free to use?

Yes. It's completely free, requires no signup, and runs entirely in your browser — your policies are never sent to a server.