As an AWS Certified Developer – Associate (DVA-C02) candidate, one of the most important concepts to understand is the difference between AWS managed policies and customer-managed policies. Both can be sawn as IAM Policies, but they are markedly distinct entities when it comes to their purpose and functionality.
AWS Managed Policies
AWS managed policies are pre-configured by Amazon Web Services and provide permissions to execute specific operations on AWS resources. They are designed to provide a uniform set of permissions to AWS customers, reducing the complexity of permissions management for common usage scenarios.
Here is an example of an AWS managed policy that grants permissions to an EC2 instance:
{
“Version”:”2012-10-17″,
“Statement”:[{
“Effect”:”Allow”,
“Action”:”ec2:*”,
“Resource”:”*”
}]
}
In the above policy, the “Effect” is set to “Allow”, meaning that the policy allows the associated IAM user or role to execute EC2 actions. The “Action” is set to “ec2:*”, implying that users can perform all EC2 actions, including launching instances, creating snapshots, and so on. The “Resource” is set to “*”, meaning the policy is applicable on all resources.
Customer-Managed Policies
Customer-managed policies, as the name suggests, are completely under the customer’s control. They are custom IAM policies which are when AWS managed policies do not suit customer’s unique security requirements. With customer-managed policies, customers can specify their own set of permissions, providing a more granular control over access.
Here is an example of a customer-managed policy that grants limited permissions to an EC2 instance:
{
“Version”:”2012-10-17″,
“Statement”:[{
“Effect”:”Allow”,
“Action”:[
“ec2:StartInstances”,
“ec2:StopInstances”
],
“Resource”:”*”
}]
}
In the above policy, the “Effect” is set to “Allow”, meaning that the policy allows the associated IAM users or roles to carry out specific actions on EC2 instances. The “Action” part only allows users to start and stop instances, no other actions related to EC2 can be performed by users. Again, the “Resource” is set to “*”, indicating the policy applies to all resources.
Comparison
Feature | AWS Managed Policies | Customer-Managed Policies |
---|---|---|
Who controls? | Managed by AWS | Managed by Customer |
Use Case | Common use cases | Unique requirements |
Flexibility | Lower as pre-configured | Higher, can be customized |
Responsibility | AWS responsible for updates & effectiveness | Customer responsible for updates & effectiveness |
Example | Allow all EC2 actions | Allow only specific EC2 actions |
Conclusion
Both AWS managed policies and customer-managed policies play significant roles in AWS environment, and understanding when to use each is critical for securing AWS resources. AWS managed policies are a great way to get started quickly, while customer-managed policies provide the granularity needed for specific security requirements.
Practice Test
True/False: AWS managed policies allow you full control to customize permissions whereas Customer-managed policies are maintained by AWS.
- False
Answer: False
Explanation: AWS managed policies are maintained by AWS and offer pre-defined permissions for many AWS services. In contrast, customer-managed policies are fully customizable and are maintained by the user.
Multiple select: Which of the following are benefits of AWS Managed Policies? (Select all that apply)
- A. Easy to set up
- B. Customizable permissions
- C. Automatic updates by AWS
- D. Predefined permissions for various AWS services
Answers: A, C, D
Explanation: AWS Managed Policies are easy to set up, and automatically updated by AWS. They also come with predefined permissions for various AWS services. Customizable permissions, however, are a feature of customer-managed policies.
Multiple select: Which of the following are features of customer-managed policies? (Select all that apply)
- A. Customizable permissions
- B. Requires familiarity with AWS services
- C. Maintained by AWS
- D. Grant permissions to all AWS services
Answers: A, B, D
Explanation: Customer-managed policies offer fully customizable permissions and require solid familiarity with AWS services. They can grant permissions to all AWS services. However, they are maintained by the customer, not AWS.
True/False: You can create as many customer-managed policies as you like.
- False
Answer: False
Explanation: Even though customer-managed policies offer more flexibility than AWS managed policies, there is a limit to the number you can create in your AWS account.
Single select: Which type of policy allows you to grant permissions to any AWS service?
- A. AWS managed policies
- B. Customer-managed policies
- C. Both AWS managed policies and customer-managed policies
Answer: B. Customer-managed policies
Explanation: While both policies can grant access to AWS services, only customer-managed policies allow for granting permissions to any AWS service, as they are fully customizable.
Single select: If you want to maintain the policy by yourself, which type of policy should you use?
- A. AWS managed policies
- B. Customer-managed policies
Answer: B. Customer-managed policies
Explanation: Customer-managed policies are maintained by the customer whereas AWS managed policies are maintained by AWS.
True/False: AWS managed policies offer the same degree of customization as customer-managed policies.
- False
Answer: False
Explanation: AWS managed policies do not offer the same degree of customization as customer-managed policies. They provide pre-defined permissions for many AWS services.
Multiple Select: Which of the following limitations are related to customer-managed policies? (Select all that apply)
- A. Limited number
- B. Requirement of good familiarity with AWS services
- C. No pre-configured permissions
- D. Required maintenance by AWS
Answers: A, B, C
Explanation: Customer-managed policies come with certain limitations such as limited number, the requirement of good familiarity with AWS services, and absence of pre-configured permissions. Also, these policies need to be maintained by the customer, not AWS.
True/False: AWS managed policies are designed to provide permissions for specific AWS service tasks.
- True
Answer: True
Explanation: AWS managed policies provide predefined sets of permissions designed specifically for distinct tasks within various AWS services.
Single select: Who maintains customer-managed policies?
- A. Amazon
- B. Customer
- C. Both Amazon and Customer
Answer: B. Customer
Explanation: Customer-managed policies are maintained by the customer. Amazon maintains AWS managed policies.
Interview Questions
What is an AWS managed policy?
An AWS managed policy is a standalone policy that is created and administered by AWS. It is designed to align with common use cases and is updated when services or features are introduced by AWS.
How does a customer managed policy differ from an AWS managed policy?
Customer managed policies are standalone policies that are created and managed by users in their AWS environment. Users are responsible for all operations associated with their customer managed policy, including creation, update, and deletion.
Can customers edit AWS managed policies?
No, AWS managed policies cannot be edited by customers. To use a policy similar to an AWS managed policy, customers must duplicate the policy as a customer managed policy and then edit the copy.
Which services can use the AWS managed policies?
AWS managed policies can be used across various services such as Amazon S3, Amazon EC2, AWS IAM, and more.
Can I attach a managed policy to more than one user, group, or role?
Yes, unlike inline policies, managed policies are standalone objects that can be attached to multiple users, groups, or roles.
What happens when AWS updates an AWS managed policy?
When AWS updates an AWS managed policy, any user, group, or role that the policy is attached to automatically receives the new permissions included in the update.
How can IAM roles get higher levels of permissions with AWS managed policies?
IAM roles can acquire greater permissions through the use of AWS managed policies that can be attached to the roles for common functions, without giving unnecessary permissions.
What is the limit on the number of customer managed policies in an AWS account?
By default, AWS sets a limit of 5000 customer managed policies per AWS account.
What should be done if a customer wants to change something in an AWS managed policy?
If desired changes need to be made, customers should duplicate the AWS managed policy into a new customer managed policy and make the changes in the new policy.
Are AWS Managed policies region specific?
No, AWS Managed policies are not region specific. They are global and can be used in any region that supports the services authorized by the policy.
Regarding the size limit, what is the difference between AWS Managed policies and Customer managed policies?
Both AWS Managed policies and Customer managed policies have a size limit. However, customer managed policies allow a maximum size of 6,144 characters, whereas AWS managed policies can extend beyond this limit.
Can customers delete AWS managed policies?
No, customers cannot delete AWS managed policies as these are managed and controlled by AWS.
Does AWS provide versioning for customer managed policies?
Yes, AWS provides policy versioning for customer managed policies which aids in managing and rolling back changes.
Can AWS managed policies be used as a basis to create customer-managed policies?
Yes. In fact, this is recommended if customers wish to customize an existing AWS managed policy to better suit their needs.
Where do customer managed policies become especially useful?
Customer managed policies become especially useful when you need more precise control over the policy document structure, require unique sets of permissions, or exceed the limit for the number of managed policies that can be attached to an IAM entity.