# IAM Policies

## Overview

* **2 types of IAM policies:**
  * **Managed Policies - AWS Managed and Customer Managed**.
  * **Incline Policies**.

## AWS managed policy

* An AWS managed policy is **a standalone policy that is created and administered by AWS**.<br>
  * **Standalone policy means that the policy has its own Amazon Resource Name (ARN) that includes the policy name**.<br>
    * For example, **`arn:aws:iam::aws:policy/IAMReadOnlyAccess` is an AWS managed policy**.<br>
* AWS managed policies are **designed to provide permissions for many common use cases**.<br>
* **You cannot change the permissions defined** in AWS managed policies.

## Customer managed policies

* These are **standalone policies that you administer in your own AWS account**.<br>

* You can then **attach the policies to multiple principal entities in your AWS account**.<br>

* **When you attach a policy to a principal entity, you give the entity the permissions that are defined in the policy**.

* A **great way to create a customer managed policy is to start by copying an existing AWS managed policy**.
  * That way **you know that the policy is correct at the beginning** and all you need to do is customize it to your environment.

## Inline policies

* An inline policy is a **policy that's embedded in an IAM identity (a user, group, or role)**.
  * The **policy is an inherent part of the identity**.<br>

* Inline policies are **useful if you want to maintain a strict one-to-one relationship between a policy and the identity** that it's applied to.

  * For example, you **want to be sure that the permissions in a policy are not inadvertently assigned to an identity other than the one they're intended for**.

* When you use an inline policy, **the permissions in the policy cannot be inadvertently attached to the wrong identity**.

## Managed Policy Benefits

* In most cases, **AWS recommend that you use managed policies instead of inline policies**.<br>
* **Managed policies provide the following features**:<br>
  * **Reusability:**

    * A **single managed policy can be attached to multiple principal entities** (users, groups, and roles).

  * **Central change management:**

    * When you change a managed policy, the **change is applied to all principal entities that the policy is attached to**.

  * **Versioning and rolling back:**

    * When you change a customer managed policy, the **changed policy doesn't overwrite the existing policy**.
      * Instead, **IAM creates a new version of the managed policy**.

  * **Automatic updates for AWS managed policies:**
    * **AWS maintains AWS managed policies and updates them when necessary** (for example, to add permissions for new AWS services), without you having to make changes.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://karansingh.gitbook.io/aws-saa-c02/mini-security-lesson/iam-policies.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.