Concepts

Managed policies are pre-configured by AWS and are designed to provide permissions for many common use cases. AWS has two categories of managed policies: AWS managed policies and AWS job function policies.

  • AWS managed policies are created and maintained by AWS. They are designed to facilitate the assignment of permissions for specific AWS services or resources. Because they are maintained by AWS, they are updated automatically when necessary, such as when new services or service features are introduced.
  • AWS job function policies are designed to correspond to common job functions in the IT industry. They provide permissions necessary to perform certain roles within AWS, such as a database administrator or a network administrator.

Customer-Managed Policies:

Customer-managed policies are created and fully managed by the customer. These policies are tailored by the users of the AWS account to meet specific security requirements. They provide more granular control over permissions and allow for a custom set of permissions to be created.

Customers can use the AWS Policy Generator or write policies manually in JSON format. This gives the flexibility to define precise access control tailored to the unique operating environment of the organization.

Comparison:

Aspect AWS Managed Policies Customer-Managed Policies
Creator AWS Customer
Maintenance Automatically updated by AWS Manually maintained by Customer
Customizability No (only attachable/detachable) Highly customizable
Use Case General use cases and job functions Specific security needs of an account
Versioning Version controlled by AWS Supports manual versioning
Reuse Can be attached to many entities Can be attached to many entities
Visibility Public (shared across all AWS users) Private (within the customer’s account)
Permission Updates Automatic based on AWS changes Manual, as needed by the customer

Examples:

AWS Managed Policy Example:

One example of an AWS managed policy is “AmazonDynamoDBReadOnlyAccess,” which provides read-only access to Amazon DynamoDB resources.

When you attach this policy to an IAM role, the entities assuming that role will have read-only permissions to DynamoDB without the need for you to write any policy code.

Customer-Managed Policy Example:

Suppose your company has a strict policy that only allows admins to launch EC2 instances of type ‘t2.micro’ within a specific VPC. You can create a custom-managed policy that defines these specific conditions. A simplified version of such a policy in JSON format could look like this:

{
“Version”: “2012-10-17”,
“Statement”: [
{
“Effect”: “Allow”,
“Action”: “ec2:RunInstances”,
“Resource”: “*”,
“Condition”: {
“StringEquals”: {
“ec2:InstanceType”: “t2.micro”,
“ec2:PlacementTenancy”: “default”,
“ec2:Vpc”: “arn:aws:ec2:region:account-id:vpc/vpc-id”
}
}
}
]
}

This policy ensures that the EC2 instances launched conform to the company’s guidelines regarding instance types and placement within the VPC.

In summary, AWS managed policies offer simplicity and ease of use for standard permissions across AWS services, while customer-managed policies allow customers to define and manage finely tuned permissions that meet their organization’s specific requirements. An AWS Certified Developer – Associate (DVA-C02) must understand both types of policies to build and maintain secure, efficient, and compliant AWS applications.

Answer the Questions in Comment Section

True or False: AWS managed policies are maintained by AWS while customer-managed policies are maintained by the user.

  • True
  • False

Answer: True

Explanation: AWS managed policies are managed and updated by AWS, whereas customer-managed policies are fully user-controlled and managed.

Which of the following can be edited directly by the user?

  • AWS managed policies
  • Customer-managed policies
  • Both
  • Neither

Answer: Customer-managed policies

Explanation: Customer-managed policies can be edited and managed by the user, while AWS managed policies cannot be edited.

True or False: Customer-managed policies provide more granular control over AWS permissions compared to AWS managed policies.

  • True
  • False

Answer: True

Explanation: Customer-managed policies allow users to define the precise level of permissions required, offering more granular control than AWS managed policies.

True or False: AWS managed policies are the best way to grant permissions that are specific to your AWS environment.

  • True
  • False

Answer: False

Explanation: Customer-managed policies are better suited for granting specific permissions tailored to your AWS environment.

Who is primarily responsible for updating and maintaining AWS managed policies?

  • AWS administrators
  • The customer
  • Both
  • Neither

Answer: AWS administrators

Explanation: AWS administrators are responsible for updating and maintaining AWS managed policies.

Which policy type supports the feature of versioning and rolling back?

  • AWS managed policies
  • Customer-managed policies
  • Both
  • Neither

Answer: Customer-managed policies

Explanation: Customer-managed policies support versioning, which allows for rolling back to previous versions. AWS managed policies do not support this feature.

True or False: AWS managed policies can be attached to multiple AWS entities, like users, groups, and roles.

  • True
  • False

Answer: True

Explanation: Both AWS managed and customer-managed policies can be attached to multiple users, groups, and roles.

True or False: Customer-managed policies are automatically reviewed by AWS for security best practices.

  • True
  • False

Answer: False

Explanation: Customer-managed policies are not automatically reviewed by AWS; users are responsible for ensuring their policies align with security best practices.

Which policy type is recommended for assigning permissions that are common across many users/roles?

  • AWS managed policies
  • Customer-managed policies
  • Both are equally recommended

Answer: AWS managed policies

Explanation: AWS managed policies are ideal for common permissions across many users/roles due to their preconfigured nature and ease of management.

True or False: You can attach as many AWS managed policies as you want to a single IAM entity.

  • True
  • False

Answer: False

Explanation: There is a limit to the number of managed policies that you can attach to an IAM entity, whether they are AWS managed or customer-managed policies.

True or False: Customer-managed policies offer a way to set an explicit deny within the policy.

  • True
  • False

Answer: True

Explanation: Customer-managed policies provide the flexibility to add an explicit deny statement, which provides a strong level of control.

When should a customer-managed policy be used instead of an AWS managed policy?

  • When you need predefined permissions for easy management.
  • When you require custom permissions not available in any AWS managed policy.
  • Only when AWS managed policies limit attachment to IAM entities.
  • It is never recommended to use customer-managed policies.

Answer: When you require custom permissions not available in any AWS managed policy.

Explanation: Customer-managed policies are used when you need custom permissions that are specialized and not covered by AWS managed policies.

0 0 votes
Article Rating
Subscribe
Notify of
guest
23 Comments
Oldest
Newest Most Voted
Inline Feedbacks
View all comments
Kyle Knight
6 months ago

Great post! I was a bit confused about the differences between AWS managed policies and customer-managed policies, but this really helped.

سام قاسمی

Can someone explain why we would choose an AWS managed policy over creating our own customer-managed policy?

Gottfried Beetz
7 months ago

I prefer customer-managed policies because they give you precise control over the permissions.

Nour Gangstad
8 months ago

Thanks for the clear explanation!

Raphael Egas
7 months ago

Is it safe to rely entirely on AWS managed policies for a production environment?

Pinja Marttila
6 months ago

This blog really clarified things for my DVA-C02 exam preparation. Appreciate it!

Chad Howell
7 months ago

AWS managed policies are easy to use but can be overly permissive at times.

Cathy Bryant
8 months ago

Perfect timing, I was just about to take the AWS Certified Developer – Associate exam!

23
0
Would love your thoughts, please comment.x
()
x