Best practice for creating a broad read-only IAM role


We are trying to streamline our IAM roles into major user tasks and require a role with broad-reaching (but not comprehensive) read-only access.

Trying to write each service and action individually in a custom policy results in a massive policy size, well over the maximum size limit. Condensing these use actions such as Get* doesn't get it anywhere near close still.

We have found the ReadOnlyAccess managed policy, but this is far too broad and grants permissions to services such as Billing, KMS etc.

What are the best practices around trying to design a role such as this? We have other similar roles with further expanded permissions planned on top of this, is there an easier way to create these roles or is this simply not the best way to divide role responsibility?

1 Answer
Accepted Answer


I thought, how about setting ReadOnlyAccess and using a Permissions boundary to allow only the necessary services?
For example, if you set ReadOnlyAccess in the IAM policy and set the following Permissions boundary, you can only allow reading to EC2.

    "Version": "2012-10-17",
    "Statement": [
            "Sid": "test",
            "Effect": "Allow",
            "Action": "ec2:*",
            "Resource": "*"
profile picture
answered 3 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions