AWS Security Blog

An Easier Way to Manage Your Policies

AWS recently announced a new feature of AWS Identity and Access Management (IAM): managed policies. Managed policies enable you to attach a single policy to multiple IAM users, groups, and roles (in this blog post referred to collectively as “IAM entities”). When you update a managed policy, the permissions in that policy apply to every entity that the IAM policy is attached to.

In this post, I’ll walk you through one use case: using managed policies to roll out and then roll back a policy update through the IAM console. 

Roll out a policy update

One benefit of managed policies is that you can apply an update to multiple IAM entities across your AWS account. If you haven’t already created a managed policy, you can follow the steps in the IAM documentation to create a managed policy now before you read further. I’ll use the example policy from the documentation for this walkthrough.

After you follow the steps described in the documentation, you’ll have a policy named UsersManageOwnCredentials that grants an IAM user the ability to change their own password (but not delete it) and to manage (create, list, update, or delete) their own access keys using the IAM console. With this policy in hand, let’s explore how you can roll out an update to a policy in your account.

Imagine you want to specify a condition that restricts the users of this policy to your corporate IP address range. To make this change, you only have to edit UsersManageOwnCredentials once. Subsequently, all of the IAM entities attached to the policy will use your updated version of UsersManageOwnCredentials.

(In this example you’ll use the IAM console to edit your managed policy, but you could also use the API or command line interface.)

The first step is to open the IAM console and click Policies in the left navigation pane.

Image of the Policies pane in the IAM console

Click the policy name UsersManageOwnCredentials to see the details page with information about the policy. Then, click edit on the right side of the page.

Image of UsersManageOwnCredentials policy

Clicking edit makes the policy document editable.

Image of UsersManageOwnCredentials policy when editable

You can now modify the JSON of the policy and add an IP address condition. You can also select the Save as default version check box to save this version of the policy as the default version. (For the purposes of this walkthrough, however, we will not select the check box, which means for now this version will not be the default version of the policy.)

Image of UsersManageOwnCredentials policy with added IP address condition

When you click Save, your changes are saved as a new version of UsersManageOwnCredentials. IAM creates a new version of your policy when you edit it, instead of overwriting the previous version. You can view the last five versions of your policy in the Policy Versions section at the bottom of the Policy Details pane.

Image of new version of policy

Here, your edits are saved as Version 2. However, your IAM entities still have Version 1 attached to them because we did not select the Save as default version check box. To attach Version 2 to your IAM entities, you need to set Version 2 as the default. To do this, first select the check box next to Version 2.

Image of check box selected next to Version 2

Next, click Set as Default.

Image of having set Version 2 as default

Congratulations! All of your IAM entities that previously had Version 1 of UsersManageOwnCredentials attached to them now have your updated Version 2 attached to them instead. Note also that Version 2 is now the default policy. You’ve seen just how easy it is to roll out a policy update with managed policies.

Next, we’ll show you what to do if you want to roll back an update you’ve made.

Roll back a policy update

Imagine in this same scenario that some of your employees are working remotely from a client’s office. You don’t have their IP addresses, so under the policy you just applied that has an IP address condition, these employees will be denied access. You decide to roll back the changes you made. Performing this action is simple with a managed policy.

To roll back to a previous version of UsersManageOwnCredentials, first select the check box next to the version of the policy you want to set as the new default.

Image of selecting check box next to Version 1

Next, click Set as Default.

Now, the previous version of UsersManageOwnCredentials—that is, Version 1—is attached to all of your IAM entities.

Image of having set Version 1 as default again

Get started with managed policies

In this blog post, we’ve covered only one of the many new capabilities of managed policies. They offer reusability, consolidated policy management, versioning, updates, and fine-grained control over policy assignment. You can find more-detailed information by visiting Managing IAM Policies.

We look forward to hearing how you are using this functionality and the ways we can improve it. You can post comments below, or visit the IAM forum for both comments and questions about managed policies.

– Bradford