IAM Policies

Overview

2 types of IAM policies:
- Managed Policies - AWS Managed and Customer Managed.
- Incline Policies.

An AWS managed policy is a standalone policy that is created and administered by AWS.
- Standalone policy means that the policy has its own Amazon Resource Name (ARN) that includes the policy name.
  - For example, arn:aws:iam::aws:policy/IAMReadOnlyAccess is an AWS managed policy.
AWS managed policies are designed to provide permissions for many common use cases.
You cannot change the permissions defined in AWS managed policies.

These are standalone policies that you administer in your own AWS account.
You can then attach the policies to multiple principal entities in your AWS account.
When you attach a policy to a principal entity, you give the entity the permissions that are defined in the policy.
A great way to create a customer managed policy is to start by copying an existing AWS managed policy.
- That way you know that the policy is correct at the beginning and all you need to do is customize it to your environment.

An inline policy is a policy that's embedded in an IAM identity (a user, group, or role).
- The policy is an inherent part of the identity.
Inline policies are useful if you want to maintain a strict one-to-one relationship between a policy and the identity that it's applied to.
- For example, you want to be sure that the permissions in a policy are not inadvertently assigned to an identity other than the one they're intended for.
When you use an inline policy, the permissions in the policy cannot be inadvertently attached to the wrong identity.

In most cases, AWS recommend that you use managed policies instead of inline policies.
Managed policies provide the following features:
- Reusability:
  - A single managed policy can be attached to multiple principal entities (users, groups, and roles).
- Central change management:
  - When you change a managed policy, the change is applied to all principal entities that the policy is attached to.
- Versioning and rolling back:
  - When you change a customer managed policy, the changed policy doesn't overwrite the existing policy.
    Instead, IAM creates a new version of the managed policy.
- Automatic updates for AWS managed policies:
  - AWS maintains AWS managed policies and updates them when necessary (for example, to add permissions for new AWS services), without you having to make changes.

Last updated 4 years ago

Was this helpful?

AWS managed policy

An AWS managed policy is a standalone policy that is created and administered by AWS.

Standalone policy means that the policy has its own Amazon Resource Name (ARN) that includes the policy name.
- For example, arn:aws:iam::aws:policy/IAMReadOnlyAccess is an AWS managed policy.

AWS managed policies are designed to provide permissions for many common use cases.

You cannot change the permissions defined in AWS managed policies.

Customer managed policies

These are standalone policies that you administer in your own AWS account.

You can then attach the policies to multiple principal entities in your AWS account.

When you attach a policy to a principal entity, you give the entity the permissions that are defined in the policy.

A great way to create a customer managed policy is to start by copying an existing AWS managed policy.

That way you know that the policy is correct at the beginning and all you need to do is customize it to your environment.

Inline policies

An inline policy is a policy that's embedded in an IAM identity (a user, group, or role).

Inline policies are useful if you want to maintain a strict one-to-one relationship between a policy and the identity that it's applied to.

For example, you want to be sure that the permissions in a policy are not inadvertently assigned to an identity other than the one they're intended for.

When you use an inline policy, the permissions in the policy cannot be inadvertently attached to the wrong identity.

Managed Policy Benefits

In most cases, AWS recommend that you use managed policies instead of inline policies.

Managed policies provide the following features:

Reusability:
- A single managed policy can be attached to multiple principal entities (users, groups, and roles).
Central change management:
- When you change a managed policy, the change is applied to all principal entities that the policy is attached to.
Versioning and rolling back:
- When you change a customer managed policy, the changed policy doesn't overwrite the existing policy.
  - Instead, IAM creates a new version of the managed policy.
Automatic updates for AWS managed policies:
- AWS maintains AWS managed policies and updates them when necessary (for example, to add permissions for new AWS services), without you having to make changes.