New – Managed Policies for AWS Identity & Access Management
Many computer science problems can be solved, the experts like to say, by adding another level of indirection (this proposition is often referred to, with mock seriousness, as the Fundamental Theorem of Software Engineering).
If you are currently using IAM, you already know that you can use user-based permissions to grant access to specific AWS resources. The policies are expressed in JSON form. Until today, policies were directly attached to the user that they governed (we now think of these as “inline” policies).
This model was very flexible, but it led to duplication of information and effort. As the size and complexity of your AWS installation grows, you might find yourself editing multiple permission documents in order to add a new permission or to remove an existing one. Auditing and confirming permissions was also more difficult than necessary.
New Managed Policies
Today we are improving the IAM policy model with support for managed policies. As I alluded to earlier, we are adding a level of indirection to IAM and turning policies into first-class AWS objects that can be created, named, and attached to one or more IAM users, groups, or roles. This change simplifies permission and policy management and gives you the power to create and deploy a consistent set of policies across your entire organization.
With today’s release, policies are first-class AWS objects that can be created, named, managed, and assigned as desired. They are also versioned, giving you the ability to track changes and to roll back if necessary. When you create and save a new version of a policy, you can choose to make that version the default. If you choose this option, all IAM entities that previously used the old version will automatically use the new one instead.
The permissions needed to attach and detach managed policies are themselves governed by IAM, giving you the ability to delegate this level of control to others in your organization as needed. You can even control which policies can be attached to which users, groups, and roles. This allows you to delegate policy assignment while retaining control over the contents of the policies.
AWS Managed Policies
As part of this launch we are also adding support for a set of common, predefined policies. Policies of this type are created and maintained by the AWS team and can be used to allow certain common types of access without having to create and maintain your own policies. These policies are also versioned and can be accessed from the console: