Skip to content
Gallery
1. AWS Identity and Access Management (IAM)
AWS Identity and Access Management (IAM)
IAM Elements
IAM Authentication Methods
IAM Users
IAM Groups
IAM Roles
IAM Policy
Permission Boundary
IAM Policy Evaluation Logic
IAM Best Practices
Misc
Share
Explore

icon picker
IAM Policy

Definition: A document that defines permissions and can be applied to users, groups, and roles.
Structure
Format: Policies are written in JSON, consisting of key-value pairs (attributes and values).
Permissions
Implicit Deny: By default, all permissions are implicitly denied.
Most Restrictive Policy: When multiple policies apply, the most restrictive policy takes precedence.
Tools and Features
IAM Policy Simulator: A tool to help understand, test, and validate the effects of access control policies.
Policy Elements
Condition Element: Used to apply further conditional logic to policies.

image.png

Types of IAM Policies

Managed Policies
Customer Managed Policies
Inline Policies

Managed Policies

Definition: Policies created and administered by AWS.
Characteristics:
Common Use Cases: Designed for common job functions.
Ease of Use: Saves you the effort of creating policies yourself.
Attachment: Can be attached to multiple users, groups, or roles across AWS accounts.
Immutability: Permissions cannot be changed.
Examples:
Job-Specific Managed Policies:
Administrator
Billing
Database Administrator
Data Scientist
Developer Power User
Network Administrator
Security Auditor
Support User
System Administrator
View-Only User

Customer Managed Policies

Definition: Standalone policies that you create and administer in your own AWS account.
Characteristics:
Customization: Can be customized to meet specific needs.
Attachment: Can be attached to multiple users, groups, and roles within your account.
Creation: Can be created by copying and modifying an existing managed policy.
Recommendation: Ideal when AWS Managed Policies do not meet your specific requirements.

Inline Policies

Definition: Policies embedded directly within a user, group, or role.
Characteristics:
1:1 Relationship: Directly attached to a single entity.
Deletion: When the user, group, or role is deleted, the inline policy is also deleted.
Use Case: Useful when you need to ensure that the permissions in a policy are not inadvertently assigned to other entities.
AWS Recommendation: Generally recommends using managed policies instead of inline policies for ease of management and reusability.

Summary of AWS Managed and Customer Managed Policies

AWS Managed Policies:
Standalone: Have their own Amazon Resource Name (ARN).
Pre-Defined Permissions: Permissions set by AWS and cannot be changed.
Common Use Cases: Designed for many common scenarios and job functions.
Customer Managed Policies:
Standalone: Administered within your AWS account.
Customizable: Permissions can be tailored to specific needs.
Reusability: Can be attached to multiple principal entities within your account.
Types of IAM Policies
Managed Policies
Customer Managed Policies
Inline Policies
Summary of AWS Managed and Customer Managed Policies
Want to print your doc?
This is not the way.
Try clicking the ⋯ next to your doc name or using a keyboard shortcut (
CtrlP
) instead.