In [5]:
import boto3
iam = boto3.resource('iam')
client = boto3.client('iam')

## ADD A POLICY TO A GROUP
- When you create an IAM user, by default, it has no permissions
- You have to explicitly give the user permission to do anything in that account
- The way that you grant or deny permission is to associate what is called an IAM policy to an IAM user
- You can attach a policy to a group and all of the users in that group will have those permissions

### 1. COMPLETE & 2. SHORT

In [2]:
response = client.attach_group_policy(
    GroupName='finance',
    PolicyArn='arn:aws:iam::aws:policy/AWSMobileHub_ReadOnly'
)

## CREATE A 'CUSTOMER MANAGED' POLICY
- Version: Policy language version, by default include "2012-10-12"
- Statement: One or more individual statements
- Sid: Identifier of the statement
- Effect: Wether the statement allows or denies access
- Action: List of actions this policy allows or denies
- Resource: List of resources to which the actions applied to

In [8]:
import json

policy_json = {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "s3ListBuckets",
            "Effect": "Allow",
            "Action": "s3:ListBucket",
            "Resource": "arn:aws:s3:::akim-digital-food-01"
        }
    ]   
}

response = client.create_policy(
    PolicyName='s3ListBuckets',
    PolicyDocument=json.dumps(policy_json)
) 

print(response['Policy'])

{'PolicyName': 's3ListBuckets', 'PolicyId': 'ANPAVVATKWKBY4IMF4YSY', 'Arn': 'arn:aws:iam::388735087235:policy/s3ListBuckets', 'Path': '/', 'DefaultVersionId': 'v1', 'AttachmentCount': 0, 'PermissionsBoundaryUsageCount': 0, 'IsAttachable': True, 'CreateDate': datetime.datetime(2021, 11, 6, 20, 5, 1, tzinfo=tzutc()), 'UpdateDate': datetime.datetime(2021, 11, 6, 20, 5, 1, tzinfo=tzutc())}


## DELETE A 'CUSTOMER MANAGED POLICY' by using resource

In [7]:
policy = iam.Policy(
    'arn:aws:iam::388735087235:policy/s3ListBuckets'
)
policy.delete()
print('Policy has been deleted')

Policy has been deleted


## DELETE A 'CUSTOMER MANAGED POLICY' by using client

In [9]:
response = client.delete_policy(
    PolicyArn='arn:aws:iam::388735087235:policy/s3ListBuckets'
)
print(response)

{'ResponseMetadata': {'RequestId': 'a6f541e6-ef30-4a2d-90b7-de67ec079e57', 'HTTPStatusCode': 200, 'HTTPHeaders': {'x-amzn-requestid': 'a6f541e6-ef30-4a2d-90b7-de67ec079e57', 'content-type': 'text/xml', 'content-length': '204', 'date': 'Sat, 06 Nov 2021 20:06:08 GMT'}, 'RetryAttempts': 0}}
