Simple Notification Service (SNS)
Kinesis + MQ
Databases & Analytics
IAM Policies

Overview

  • 2 types of IAM policies:
    • Managed Policies - AWS Managed and Customer Managed.
    • Incline Policies.

AWS managed policy

  • An AWS managed policy is a standalone policy that is created and administered by AWS.
    • Standalone policy means that the policy has its own Amazon Resource Name (ARN) that includes the policy name.
      • For example, arn:aws:iam::aws:policy/IAMReadOnlyAccess is an AWS managed policy.
  • AWS managed policies are designed to provide permissions for many common use cases.
  • You cannot change the permissions defined in AWS managed policies.

Customer managed policies

  • These are standalone policies that you administer in your own AWS account.
  • You can then attach the policies to multiple principal entities in your AWS account.
  • When you attach a policy to a principal entity, you give the entity the permissions that are defined in the policy.
    ​
  • A great way to create a customer managed policy is to start by copying an existing AWS managed policy.
    • That way you know that the policy is correct at the beginning and all you need to do is customize it to your environment.

Inline policies

  • An inline policy is a policy that's embedded in an IAM identity (a user, group, or role).
    • The policy is an inherent part of the identity.
  • Inline policies are useful if you want to maintain a strict one-to-one relationship between a policy and the identity that it's applied to.
    • For example, you want to be sure that the permissions in a policy are not inadvertently assigned to an identity other than the one they're intended for.
    ​
  • When you use an inline policy, the permissions in the policy cannot be inadvertently attached to the wrong identity.

Managed Policy Benefits

  • In most cases, AWS recommend that you use managed policies instead of inline policies.
  • Managed policies provide the following features:
    • Reusability:
      • A single managed policy can be attached to multiple principal entities (users, groups, and roles).
      ​
    • Central change management:
      • When you change a managed policy, the change is applied to all principal entities that the policy is attached to.
      ​
    • Versioning and rolling back:
      • When you change a customer managed policy, the changed policy doesn't overwrite the existing policy.
        • Instead, IAM creates a new version of the managed policy.
      ​
    • Automatic updates for AWS managed policies:
      • AWS maintains AWS managed policies and updates them when necessary (for example, to add permissions for new AWS services), without you having to make changes.
Last modified 11mo ago