What is IAM Inline Policy?
An inline policy is a policy embedded directly in a single user, group, or role, with a strict one-to-one relationship to that identity.
Unlike a managed policy, an inline policy has no independent existence: it is part of the identity it is written on, and it is deleted when that identity is deleted. Inline policies are useful when you want to guarantee a policy is never accidentally attached elsewhere.
The trade-off is auditability. Inline policies do not appear in managed-policy inventories, so reviewing them requires enumerating the inline policies of every principal one by one. Attackers exploit this gap, because an inline grant on a role or group can persist unnoticed.
Example
aws iam put-role-policy \
--role-name app-role \
--policy-name scoped-s3 \
--policy-document file://policy.jsonCommon mistake
Relying on inline policies for broad permissions hides them from standard audits. If you use inline policies, enumerate them per principal during every review.
Related terms
Analyze a real policy free
Shieldly's AI-Powered analyzer explains why an IAM policy is risky and returns the fix in seconds. No signup, no AWS credentials. Also ships as CLI, VS Code extension, GitHub Action, and CDK Guard.
Amazon Web Services (AWS) is a trademark of Amazon.com, Inc. Shieldly is not affiliated with, endorsed by, or sponsored by Amazon Web Services.