Cannot create only IAM policy with cloudformation

Question

I am having issue with creating IAM policy in cloudformation.But when I run it I get the error that Groups,Roles,Users is required:

Here is my code:

{
"AWSTemplateFormatVersion": "2010-09-09",
"Description": "AWS CloudFormation Template IAM Groups and Policies",
"Resources": {
    "PolicyAutoScalingLimitedOperation": {
        "Type": "AWS::IAM::Policy",
        "Properties": {
            "PolicyName": "AutoScaling-Limited-Operation",
            "PolicyDocument": {
                "Statement": [{
                        "Effect": "Allow",
                        "Action": [
                            "dynamodb:*"
                        ],
                        "Resource": "*"
                    },
                    {
                        "Effect": "Allow",
                        "Action": [
                            "cloudwatch:PutMetricData"
                        ],
                        "Resource": "*"
                    },
                    {
                        "Effect": "Allow",
                        "Action": [
                            "xray:PutTraceSegments",
                            "xray:PutTelemetryRecords"
                        ],
                        "Resource": "*"
                    },
                    {
                        "Effect": "Allow",
                        "Action": [
                            "s3:Get*",
                            "s3:List*",
                            "s3:PutObject"
                        ],
                        "Resource": "*"
                    },
                    {
                        "Effect": "Allow",
                        "Action": [
                            "logs:PutLogEvents",
                            "logs:CreateLogStream"
                        ],
                        "Resource": "arn:aws:logs:*:*:log-group:/aws/elasticbeanstalk*"
                    },
                    {
                        "Effect": "Allow",
                        "Action": [
                            "kms:ListAliases",
                            "kms:ListKeys",
                            "kms:Encrypt",
                            "kms:Decrypt"
                        ],
                        "Resource": "*"
                    }
                ]
            }
        }
    }
}

}

Now when I run it I get:

At least one of [Groups,Roles,Users] must be non-empty.

Does that mean I cannot create policy with cloudformation without adding user/role to it?

Answer 1

From the documentation:

AWS::IAM::ManagedPolicy creates an AWS Identity and Access Management (IAM) managed policy for your AWS account, which you can use to apply permissions to IAM users, groups, and roles.

Here's an example:

Resources:
  CreateTestDBPolicy: 
    Type: AWS::IAM::ManagedPolicy
    Properties: 
      Description: "Policy for creating a test database"
      Path: "/"
      PolicyDocument: 
      Version: "2012-10-17"
      Statement: 
        - 
          Effect: "Allow"
          Action: "rds:CreateDBInstance"
          Resource: "*"

This will resolve your issue.

Answer 2

You probably want to create an AWS::IAM::ManagedPolicy if you just want a standalone policy.

http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-managedpolicy.html