When you create or modify an Identity and Access Management (IAM) entity such as a group, user, or role, you assign it one or more policies which define the permissions for associated AWS services. There are two primary types of IAM policies in AWS called AWS Managed Policies and Customer Managed Policies. Each of these policy types has a set of unique characteristics and uses.
Part 2: What are AWS Managed Policies?
AWS Managed Policies are pre-configured by Amazon and cover the permissions required for many commonly used AWS services, operations, and resources. These policies are updated by Amazon whenever new services or features are released. With AWS Managed Policies, you do not need to worry about manually updating permissions when AWS services are updated or added.
For instance, the “ReadOnlyAccess” is an AWS Managed Policy that grants read-only access to all AWS services. Once attached to an IAM user, that user can only perform read operations and cannot modify or delete any resources.
Part 3: What are Customer Managed Policies?
Customer Managed Policies are those that you create, configure, and manage within your own AWS environment. These policies can be fully customized to grant specific permissions for each service, operation, or resource. This gives you the autonomy to create highly specific and granular permissions.
For example, you might create a custom policy that only gives access to a specific S3 bucket and allows only specific actions like ‘s3:GetObject’ and ‘s3:PutObject’.
Part 4: Key Differences between AWS Managed Policies and Customer Managed Policies.
- Control and Customization:
AWS Managed Policies are pre-configured by Amazon, and you cannot modify them. On the other hand, Customer Managed Policies are entirely under your control, and you can modify them as required. - Updates:
AWS regularly updates AWS Managed Policies when new services or features are added. With Customer Managed Policies, you have to manage any necessary updates. - Granularity of Permissions:
AWS Managed Policies often provide broader permissions, while Customer Managed Policies can be configured for highly specific permissions. - Use Cases:
AWS Managed Policies are best for generic, widely used permissions such as read-only access. Customer Managed Policies are better when highly specific, granular permissions are required.
Part 5: Choosing the Right Policy Type
The choice between AWS Managed Policies and Customer Managed Policies depends largely on your specific needs. If you require broad, standard permissions across many services and want to avoid managing policy updates, AWS Managed Policies can be suitable. However, if you need custom, tightly controlled permissions for specific resources or services, Customer Managed Policies are the way to go.
Remember, it’s not an either/or choice. You can use a combination of both policy types to meet your requirements. For example, using AWS Managed Policies for common, broad permissions, and Customer Managed Policies for tightly controlled, specific permissions.
Practice Test
True/False: AWS managed policies are created and maintained by AWS.
- True
- False
Answer: True
Explanation: AWS managed policies are pre-built by AWS and cover common use cases to help customers quickly get started.
Multiple Choice: Which of the following statements are true about customer managed policies?
- A) They offer precise control over policies
- B) They are maintained by AWS
- C) They are less flexible than AWS managed policies
Answer: A
Explanation: Customer managed policies are maintained by users and offer the most flexibility and control over policies.
Multiple Choice: Which policy is more flexible in terms of customization, AWS managed policies, or customer managed policies?
- A) AWS managed policies
- B) Customer managed policies
Answer: Customer managed policies
Explanation: Customer managed policies are user-defined and allow for more flexibility and specific control.
True/False: Changes to AWS managed policies are not possible.
- True
- False
Answer: True
Explanation: AWS managed policies are maintained by AWS and cannot be edited by users.
Multiple Choice: Who is responsible for maintaining and updating AWS managed policies?
- A) Amazon
- B) User
- C) Both
Answer: A
Explanation: AWS managed policies are created and maintained by AWS.
Multiple Choice: Who has the complete control to edit and update customer managed policies?
- A) Amazon
- B) User
- C) Both
Answer: B
Explanation: Customer managed policies are defined and controlled by the user.
True/False: Only AWS managed policies can be used across multiple accounts.
- True
- False
Answer: False
Explanation: Both AWS managed policies and customer managed policies can be used across multiple accounts.
Multiple Choice: In terms of specificity, which policy is more specific?
- A) AWS managed policies
- B) Customer managed policies
Answer: B
Explanation: Customer managed policies are more specific since they are tailor-made by the user.
True/False: AWS managed policies provide granular control over permissions.
- True
- False
Answer: False
Explanation: Customer managed policies provide granular control over permissions, tailored to their specific needs.
Multiple Choice: AWS managed policies and customer managed policies are?
- A) Same
- B) Different
- C) Partially same
Answer: B
Explanation: They are different in ways like who manages them, their flexibility, their responsibility, and specificity.
True/False: You cannot attach AWS managed policies to multiple entities.
- True
- False
Answer: False
Explanation: AWS managed policies can be attached to multiple entities such as users, groups, and roles.
Multiple Choice: Which policy type can be customized according to the use-case?
- A) AWS managed policies
- B) Customer managed policies
Answer: B
Explanation: Customer managed policies can be created and customized according to a user’s specific needs.
Multiple Choice: Is it possible to use both AWS managed policies and customer managed policies simultaneously?
- A) Yes
- B) No
Answer: A
Explanation: A user can use both AWS managed policies and customer managed policies concurrently.
True/False: AWS managed policies get updated automatically when AWS adds new services or actions.
- True
- False
Answer: True
Explanation: AWS updates AWS managed policies automatically when there are updates related to AWS services or new services are added.
Multiple Choice: Which policy type offers broad permissions across all AWS services?
- A) AWS managed policies
- B) Customer managed policies
Answer: A
Explanation: AWS managed policies often offer broad permissions across multiple AWS services.
Interview Questions
What are AWS managed policies?
AWS managed policies are policies created and managed by AWS, which are designed to provide permissions for many common use cases.
What are customer managed policies?
Customer managed policies are policies that are created and managed by the users themselves in their own AWS environment.
What is the main difference between AWS managed policies and customer managed policies?
The main difference lies in the management aspect. AWS managed policies are managed by Amazon Web Services, whereas customer managed policies are managed by the customers themselves.
Between customer managed policies and AWS managed policies, which allows more granular control?
Customer managed policies offer more granular control because they are custom designed by users, tailored to their specific needs.
Can AWS managed policies be altered or modified according to customer needs?
No, AWS managed policies cannot be altered or modified. If a user needs a different set of permissions, they should create a customer managed policy.
What are the maximum characters allowed in AWS managed policies and customer managed policies?
Both AWS managed policies and customer managed policies allow for up to 6144 characters.
Can a user create an AWS managed policy?
No, a user cannot create an AWS managed policy. These policies are predefined and maintained by AWS.
How many customer managed policies can a user create?
A user can create up to 1500 customer managed policies per AWS account.
Can customer managed policies be reused across multiple users and groups?
Yes, customer managed policies can be reused across multiple users and groups within the same AWS account.
Are AWS managed policies attached to multiple AWS accounts?
No, AWS managed policies are available for use in all AWS accounts, but they are not attached to accounts by default.
What is the advantage of AWS managed policy over customer managed policy?
AWS managed policies are designed by AWS, benefit from AWS’ extensive experience with security best practices, and are updated when new AWS service actions and resources are added, reducing the overhead for users.
Can customer managed policies be converted to AWS managed policies?
No, customer managed policies cannot be converted to AWS managed policies.
Between AWS managed policies and customer managed policies, which allows policies to be version controlled?
Both AWS managed and customer managed policies support policy versioning.
Can AWS managed policies be shared across multiple AWS accounts?
No, AWS managed policies cannot be shared across multiple AWS accounts. They can only be used within the same account.
Between customer managed and AWS managed policies, which gives permissions to AWS service to perform actions on your behalf?
AWS managed policies provide permissions to AWS services to perform actions on your behalf.
extutorials.com