Using IAM Policies
Managed Policies vs. Inline Policies
To manage access within AWS, you will use policies. AWS explains, “A policy is an object in AWS that, when associated with an identity or resource, defines their permissions. AWS evaluates these policies when an IAM principal makes a request. Permissions in the policies determine whether the request is allowed or denied.”
Let’s specifically talk about IAM policies, which are used for general control of all resources. There are three types of IAM policies:
- AWS managed policies are created and provided by AWS. It’s important to note that the permissions of an AWS managed policy cannot be changed.
- Customer managed policies are created and administered by you. Many AWS users create these by customizing an existing AWS managed policy.
- Inline policies are, as AWS puts it, “an inherent part of the identity,” meaning that they are embedded into an IAM user, group, or role.
In most cases, you will use managed policies instead of inline policies. To learn more, visit the AWS documentation on managed policies and inline policies.
If you're using AWS, you should already be using IAM. There are three kinds of IAM policies. There's the AWS policies that AWS provides for you. There's customer managed policies that you would create for your users or resources. And then there's inline policies that are assigned to just one principal.
IAM policies can be used to authenticate more than just users. We use IAM policies to authenticate pretty much all of your resources so they can apply to API calls, EC2 instances, or pretty much anything that you have set up in AWS. IAM is great for general control, but if you need access to one particular bucket across account access to S3 or a larger policy, then it's better to use S3 bucket policies. And for more information on those, please see one of our videos related to that.