IAM Policies

Overview

  • 2 types of IAM policies:

    • Managed Policies - AWS Managed and Customer Managed.

    • Incline Policies.

AWS managed policy

  • An AWS managed policy is a standalone policy that is created and administered by AWS.

    • Standalone policy means that the policy has its own Amazon Resource Name (ARN) that includes the policy name.

      • For example, arn:aws:iam::aws:policy/IAMReadOnlyAccess is an AWS managed policy.

  • AWS managed policies are designed to provide permissions for many common use cases.

  • You cannot change the permissions defined in AWS managed policies.

Customer managed policies

  • These are standalone policies that you administer in your own AWS account.

  • You can then attach the policies to multiple principal entities in your AWS account.

  • When you attach a policy to a principal entity, you give the entity the permissions that are defined in the policy.

  • A great way to create a customer managed policy is to start by copying an existing AWS managed policy.

    • That way you know that the policy is correct at the beginning and all you need to do is customize it to your environment.

Inline policies

  • An inline policy is a policy that's embedded in an IAM identity (a user, group, or role).

    • The policy is an inherent part of the identity.

  • Inline policies are useful if you want to maintain a strict one-to-one relationship between a policy and the identity that it's applied to.

    • For example, you want to be sure that the permissions in a policy are not inadvertently assigned to an identity other than the one they're intended for.

  • When you use an inline policy, the permissions in the policy cannot be inadvertently attached to the wrong identity.

Managed Policy Benefits

  • In most cases, AWS recommend that you use managed policies instead of inline policies.

  • Managed policies provide the following features:

    • Reusability:

      • A single managed policy can be attached to multiple principal entities (users, groups, and roles).

    • Central change management:

      • When you change a managed policy, the change is applied to all principal entities that the policy is attached to.

    • Versioning and rolling back:

      • When you change a customer managed policy, the changed policy doesn't overwrite the existing policy.

        • Instead, IAM creates a new version of the managed policy.

    • Automatic updates for AWS managed policies:

      • AWS maintains AWS managed policies and updates them when necessary (for example, to add permissions for new AWS services), without you having to make changes.

PreviousConfigNextAuthorization

Last updated