> For the complete documentation index, see [llms.txt](https://docs.impossiblecloud.com/impossible-cloud-help/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.impossiblecloud.com/impossible-cloud-help/security/identity-access-management-iam/types-of-iam-policies.md).
# Types of IAM Policies
**Impossible Cloud supports IAM policies** that allow its users to **have granular control over the use, access and administration of their cloud storage.** Currently the Impossible Cloud Console can manage the following types of policies:
* **Managed Policies**
* **IC Managed Policies**
* **Inline Policies**
An **inline policy** is attached directly to a specific IAM user.\
If that user is deleted, the inline policy is deleted too, it can’t be reused.
A **managed policy** exists as its own separate item in IAM.\
If the group or user it’s linked to is deleted, the policy still exists and can be attached to another IAM user.
## 1. Managed Policies
Managed Policies are a reusable set of permissions that you can attach to multiple users or groups to control what actions they can perform.\
\
Impossible Cloud allows you to have custom policies created and managed by you. Customer managed policies offer greater flexibility as you can define specific permissions based on your requirements. You can also reuse these policies across multiple users or groups within your ICSC environment.
You can either put this on a .JSON and attach via CLI or paste in the ICSC console under “Policies”. A Managed Policy can look like this:
**File example: my-impossible-cloud-policy.json**
```json
{
"Statement": [
{
"Action": [
"s3:ListAllMyBuckets",
"s3:PutObject",
"s3:ListBucket"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::my-impossible-cloud-bucket",
"arn:aws:s3:::my-impossible-cloud-bucket/*"
],
"Sid": "AllowCommonS3Actions"
}
],
"Version": "2012-10-17"
}
```
{% hint style="info" %}
This policy lets the assigned user(s) see and upload files to the bucket "my-impossible-cloud-bucket". However it restricts their permission to download or delete any objects within.
{% endhint %}
#### Remember to configure your profile:
```
aws configure --profile your-profile-name
```
**To attach that Managed Policy to an IAM User using CLI, you can write:**
```sh
aws iam create-policy \
--policy-name MyICPolicy \
--policy-document file://my-impossible-cloud-policy.json \
--endpoint-url https://iam.impossibleapi.net \
--profile your-profile-name
aws iam attach-user-policy \
--user-name "user-name@yourdomain.com" \
--policy-arn arn:aws:iam::123456789012:policy/MyICPolicy \
--endpoint-url https://iam.impossibleapi.net/
--profile your-profile-name
```
## 2. IC Managed Policies
IC Managed Policies are pre-defined and maintained by Impossible Cloud. They provide ready-to-use permission sets that can be attached to IAM users and groups.
Use IC Managed Policies when you want a standardized policy maintained by Impossible Cloud, instead of creating and maintaining your own custom managed policy.
### How to access IC Managed Policies
You can access IC Managed Policies via:
* **CLI:** Use IAM policy discovery commands against the IAM endpoint to list and inspect available managed policies.
IC managed policies use the path prefix `/ic` and their ARNs do not include an account ID.
#### CLI examples
List policies:
Use the AWS scope value for provider-managed policies:
```sh
aws iam list-policies \
--scope AWS \
--endpoint-url https://iam.impossibleapi.net \
--profile your-profile-name
```
Attach a selected policy to a user:
```sh
aws iam attach-user-policy \
--user-name "user-name@yourdomain.com" \
--policy-arn arn:aws:iam:::policy/ic/ICManagedPolicyName \
--endpoint-url https://iam.impossibleapi.net \
--profile your-profile-name
```
{% hint style="info" %}
Tip: For IC managed policies, keep the `/ic/` path in the policy ARN and replace only `ICManagedPolicyName`.
{% endhint %}
## 3. Inline Policies
Inline policies are directly embedded into a single IAM user or group. These type of policies have the following conditions:
* **Directly Attached:** When you create an inline policy, it becomes part of that specific user or group.
* **Unique to the Identity:** It cannot be attached to any other user or group.
* **No Versioning:** Unlike managed policies, inline policies do not have versioning, meaning you can't easily roll back to a previous version of the policy.
* **Lifecycle:** If you delete the IAM identity, the inline policy is also automatically deleted.
{% hint style="info" %}
Note: While inline policies provide granular control, they are not reusable across different users or groups like the Managed Policies.
{% endhint %}
You can assign inline policies via CLI like this:
```sh
aws iam put-user-policy \
--user-name "user-name@yourdomain.com" \
--policy-name CustomInlinePolicy \
--policy-document file://my-impossible-cloud-policy.json \
--endpoint-url https://iam.impossibleapi.net/ \
--profile your-profile-name
```
{% hint style="info" %}
Alternatively, this can be done in the UI in the User > Select User > Inline Policies section.
{% endhint %}
---
# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.
## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://docs.impossiblecloud.com/impossible-cloud-help/security/identity-access-management-iam/types-of-iam-policies.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.