IAM policy multi resources/statement

Question

I need to create an IAM policy that gives permission to delete and create tags for all AWS services. Can I put the Actions of all services together or should they be separate? Like this:

```
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "ec2:DeleteTags",
        "ec2: CreateTags",
	"sqs:TagQueue",
	"sqs:UntagQueue",
	"kms:UntagResource",
	"kms:TagResource"
      ],
      "Resource": "*"
    },
```

Answer

It is recommended that you break up policies by resource type. If you want to define more than one permission for an entity (user or role), you can use multiple statements in a single policy. You can also attach multiple policies. If you try to define multiple permissions in a single statement, your policy might not grant the access that you expect.

For more info please review "Multiple statements and multiple policies" section in the documentation here. https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html

Answer

Yes, this way the policy attached to role or user would give access to that role/user access to perform those tagging actions to all the resources as long as there is no explicit deny in that particular resource policy.

However, it's always recommended to keep your policies least permissive and granular. With this policy, later you may see a requirement of limiting it to certain resource of that service type. Refer [Policies and permissions in IAM](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html) for more details.

Hope you find this helpful.

Comment here if you have additional questions, happy to help.

Abhishek

IAM policy multi resources/statement

Relevant content