Concepts
Managed policies are pre-configured by AWS and are designed to provide permissions for many common use cases. AWS has two categories of managed policies: AWS managed policies and AWS job function policies.
- AWS managed policies are created and maintained by AWS. They are designed to facilitate the assignment of permissions for specific AWS services or resources. Because they are maintained by AWS, they are updated automatically when necessary, such as when new services or service features are introduced.
- AWS job function policies are designed to correspond to common job functions in the IT industry. They provide permissions necessary to perform certain roles within AWS, such as a database administrator or a network administrator.
Customer-Managed Policies:
Customer-managed policies are created and fully managed by the customer. These policies are tailored by the users of the AWS account to meet specific security requirements. They provide more granular control over permissions and allow for a custom set of permissions to be created.
Customers can use the AWS Policy Generator or write policies manually in JSON format. This gives the flexibility to define precise access control tailored to the unique operating environment of the organization.
Comparison:
Aspect | AWS Managed Policies | Customer-Managed Policies |
---|---|---|
Creator | AWS | Customer |
Maintenance | Automatically updated by AWS | Manually maintained by Customer |
Customizability | No (only attachable/detachable) | Highly customizable |
Use Case | General use cases and job functions | Specific security needs of an account |
Versioning | Version controlled by AWS | Supports manual versioning |
Reuse | Can be attached to many entities | Can be attached to many entities |
Visibility | Public (shared across all AWS users) | Private (within the customer’s account) |
Permission Updates | Automatic based on AWS changes | Manual, as needed by the customer |
Examples:
AWS Managed Policy Example:
One example of an AWS managed policy is “AmazonDynamoDBReadOnlyAccess,” which provides read-only access to Amazon DynamoDB resources.
When you attach this policy to an IAM role, the entities assuming that role will have read-only permissions to DynamoDB without the need for you to write any policy code.
Customer-Managed Policy Example:
Suppose your company has a strict policy that only allows admins to launch EC2 instances of type ‘t2.micro’ within a specific VPC. You can create a custom-managed policy that defines these specific conditions. A simplified version of such a policy in JSON format could look like this:
{
“Version”: “2012-10-17”,
“Statement”: [
{
“Effect”: “Allow”,
“Action”: “ec2:RunInstances”,
“Resource”: “*”,
“Condition”: {
“StringEquals”: {
“ec2:InstanceType”: “t2.micro”,
“ec2:PlacementTenancy”: “default”,
“ec2:Vpc”: “arn:aws:ec2:region:account-id:vpc/vpc-id”
}
}
}
]
}
This policy ensures that the EC2 instances launched conform to the company’s guidelines regarding instance types and placement within the VPC.
In summary, AWS managed policies offer simplicity and ease of use for standard permissions across AWS services, while customer-managed policies allow customers to define and manage finely tuned permissions that meet their organization’s specific requirements. An AWS Certified Developer – Associate (DVA-C02) must understand both types of policies to build and maintain secure, efficient, and compliant AWS applications.
Answer the Questions in Comment Section
True or False: AWS managed policies are maintained by AWS while customer-managed policies are maintained by the user.
- True
- False
Answer: True
Explanation: AWS managed policies are managed and updated by AWS, whereas customer-managed policies are fully user-controlled and managed.
Which of the following can be edited directly by the user?
- AWS managed policies
- Customer-managed policies
- Both
- Neither
Answer: Customer-managed policies
Explanation: Customer-managed policies can be edited and managed by the user, while AWS managed policies cannot be edited.
True or False: Customer-managed policies provide more granular control over AWS permissions compared to AWS managed policies.
- True
- False
Answer: True
Explanation: Customer-managed policies allow users to define the precise level of permissions required, offering more granular control than AWS managed policies.
True or False: AWS managed policies are the best way to grant permissions that are specific to your AWS environment.
- True
- False
Answer: False
Explanation: Customer-managed policies are better suited for granting specific permissions tailored to your AWS environment.
Who is primarily responsible for updating and maintaining AWS managed policies?
- AWS administrators
- The customer
- Both
- Neither
Answer: AWS administrators
Explanation: AWS administrators are responsible for updating and maintaining AWS managed policies.
Which policy type supports the feature of versioning and rolling back?
- AWS managed policies
- Customer-managed policies
- Both
- Neither
Answer: Customer-managed policies
Explanation: Customer-managed policies support versioning, which allows for rolling back to previous versions. AWS managed policies do not support this feature.
True or False: AWS managed policies can be attached to multiple AWS entities, like users, groups, and roles.
- True
- False
Answer: True
Explanation: Both AWS managed and customer-managed policies can be attached to multiple users, groups, and roles.
True or False: Customer-managed policies are automatically reviewed by AWS for security best practices.
- True
- False
Answer: False
Explanation: Customer-managed policies are not automatically reviewed by AWS; users are responsible for ensuring their policies align with security best practices.
Which policy type is recommended for assigning permissions that are common across many users/roles?
- AWS managed policies
- Customer-managed policies
- Both are equally recommended
Answer: AWS managed policies
Explanation: AWS managed policies are ideal for common permissions across many users/roles due to their preconfigured nature and ease of management.
True or False: You can attach as many AWS managed policies as you want to a single IAM entity.
- True
- False
Answer: False
Explanation: There is a limit to the number of managed policies that you can attach to an IAM entity, whether they are AWS managed or customer-managed policies.
True or False: Customer-managed policies offer a way to set an explicit deny within the policy.
- True
- False
Answer: True
Explanation: Customer-managed policies provide the flexibility to add an explicit deny statement, which provides a strong level of control.
When should a customer-managed policy be used instead of an AWS managed policy?
- When you need predefined permissions for easy management.
- When you require custom permissions not available in any AWS managed policy.
- Only when AWS managed policies limit attachment to IAM entities.
- It is never recommended to use customer-managed policies.
Answer: When you require custom permissions not available in any AWS managed policy.
Explanation: Customer-managed policies are used when you need custom permissions that are specialized and not covered by AWS managed policies.
Great post! I was a bit confused about the differences between AWS managed policies and customer-managed policies, but this really helped.
Can someone explain why we would choose an AWS managed policy over creating our own customer-managed policy?
I prefer customer-managed policies because they give you precise control over the permissions.
Thanks for the clear explanation!
Is it safe to rely entirely on AWS managed policies for a production environment?
This blog really clarified things for my DVA-C02 exam preparation. Appreciate it!
AWS managed policies are easy to use but can be overly permissive at times.
Perfect timing, I was just about to take the AWS Certified Developer – Associate exam!