AWS

IAMUnmodifiableEntity - IAM Unmodifiable Entity

Getting an **IAMUnmodifiableEntity** error means the IAM entity (user, role, or policy) you're trying to modify cannot be modified—AWS managed entities have restrictions on modifications, and you must create customer managed alternatives. This client-side error (4xx) happens when AWS validates IAM entity modification permissions. Most common when AWS managed policies cannot be modified, but also appears when service-linked roles have restrictions, AWS managed users have limitations, entities have modification restrictions, or entities are read-only.

#Common Causes

  • Identity: IAM entity modification restrictions. Service Control Policy (SCP) enforces entity modification rules.
  • Network: VPC endpoint IAM entity modification restrictions. Entity has modification restrictions.
  • Limits: AWS managed policy cannot be modified. Service-linked role restrictions. AWS managed user limitations. Entity has modification restrictions. Read-only entity.

Solutions

  1. 1Step 1: Diagnose - Check if policy is AWS managed: Verify ARN: aws iam get-policy --policy-arn POLICY_ARN --query 'Policy.Arn' --output text. AWS managed policies have ARN format: arn:aws:iam::aws:policy/NAME.
  2. 2Step 2: Diagnose - Check entity type: Verify if entity is AWS managed, customer managed, or service-linked. Service-linked roles and AWS managed entities have restrictions.
  3. 3Step 3: Diagnose - Review modification restrictions: AWS managed policies cannot be modified. Service-linked roles have limited modification options. Check entity documentation.
  4. 4Step 4: Fix - Create customer managed policy: Create new policy: aws iam create-policy --policy-name POLICY_NAME --policy-document file://policy.json. Customer managed policies can be modified.
  5. 5Step 5: Fix - Use attachable policy versions or create new entity: For policies: Create customer managed version. For roles: Create new role with desired configuration. For users: Create new user with desired configuration.

</>Code Examples

Check if IAM Policy is AWS Managed (Unmodifiable)
1#!/bin/bash
2POLICY_ARN="arn:aws:iam::aws:policy/ReadOnlyAccess"
3
4echo "=== Checking Policy Type ==="
5echo "Policy ARN: ${POLICY_ARN}"
6
7# Check if AWS managed
8ARN_REGION=$(echo ${POLICY_ARN} | cut -d: -f5)
9if [ "${ARN_REGION}" = "aws" ]; then
10  echo "✗ Policy is AWS managed (IAMUnmodifiableEntity)"
11  echo "AWS managed policies cannot be modified"
12  POLICY_TYPE="AWS"
13else
14  echo "✓ Policy is customer managed"
15  POLICY_TYPE="Customer"
16fi
17
18# Get policy details
19echo "\n=== Policy Details ==="
20aws iam get-policy --policy-arn ${POLICY_ARN} \
21  --query 'Policy.[PolicyName,Arn,IsAttachable]' \
22  --output table
23
24if [ "${POLICY_TYPE}" = "AWS" ]; then
25  echo "\n=== Solution ==="
26  echo "Create a customer managed policy instead"
27fi
Create Customer Managed Policy (Modifiable)
1#!/bin/bash
2POLICY_NAME="my-custom-policy"
3POLICY_FILE="custom-policy.json"
4
5echo "=== Creating Customer Managed Policy ==="
6
7# Create policy document
8cat > ${POLICY_FILE} <<'EOF'
9{
10  "Version": "2012-10-17",
11  "Statement": [
12    {
13      "Effect": "Allow",
14      "Action": "s3:GetObject",
15      "Resource": "*"
16    }
17  ]
18}
19EOF
20
21echo "Policy document created: ${POLICY_FILE}"
22
23# Create customer managed policy (can be modified)
24POLICY_ARN=$(aws iam create-policy \
25  --policy-name ${POLICY_NAME} \
26  --policy-document file://${POLICY_FILE} \
27  --query 'Policy.Arn' \
28  --output text 2>&1)
29
30if [ $? -eq 0 ] && [ ! -z "${POLICY_ARN}" ]; then
31  echo "\n✓ Customer managed policy created: ${POLICY_ARN}"
32  echo "This policy can be modified (unlike AWS managed policies)"
33else
34  echo "\n✗ Failed to create policy"
35  echo "Error: ${POLICY_ARN}"
36fi
Modify Customer Managed Policy
1#!/bin/bash
2POLICY_ARN="arn:aws:iam::123456789012:policy/my-custom-policy"
3NEW_POLICY_FILE="new-policy.json"
4
5echo "=== Modifying Customer Managed Policy ==="
6echo "Policy ARN: ${POLICY_ARN}"
7
8# Check if customer managed
9ARN_REGION=$(echo ${POLICY_ARN} | cut -d: -f5)
10if [ "${ARN_REGION}" = "aws" ]; then
11  echo "✗ Cannot modify AWS managed policy (IAMUnmodifiableEntity)"
12  exit 1
13fi
14
15# Create new policy version
16echo "\n=== Creating New Policy Version ==="
17aws iam create-policy-version \
18  --policy-arn ${POLICY_ARN} \
19  --policy-document file://${NEW_POLICY_FILE} \
20  --set-as-default \
21  --output json
22
23if [ $? -eq 0 ]; then
24  echo "\n✓ Policy version created and set as default"
25else
26  echo "\n✗ Failed to create policy version"
27fi

Related Errors

InvalidParameterValueInvalidRequest

Provider Information

This error code is specific to AWS services. For more information, refer to the official AWS documentation.

IAMUnmodifiableEntity - IAM Unmodifiable Entity | AWS Error Reference | Error Code Reference