AWS Security Blog
Organize Your Permissions by Using Separate Managed Policies
This year we released managed policies to enable you to create a set of stand-alone policies that you can attach to multiple IAM entities (users, groups, and roles) in your AWS account. Since that release, we have heard from many of you that you’d prefer to mix and match policies instead of just using one universal policy. For example, instead of creating one policy to grant access to multiple services, you might want to attach a separate policy for each service. In order to facilitate the flexibility to logically separate policies, you can now attach 10 managed policies to each entity. This allows for an easier understanding of permissions by looking at the list of policies attached to each entity.
Let’s walk through an example use case. Imagine you have a database administrator with an IAM user named Alice that needs full access to Amazon DynamoDB, Amazon Relational Database Service (RDS), Amazon Redshift, and Amazon ElastiCache. Additionally, she also needs read-only access to Amazon Simple Storage Service (S3) and Amazon Glacier. To grant these permissions to Alice, we’ll use AWS managed policies (policies created and maintained by AWS that can be used to grant common types of access). We’ll attach the following AWS managed policies to Alice:
- AmazonDynamoDBFullAccess
- AmazonRDSFullAccess
- AmazonRedshiftFullAccess
- AmazonElastiCacheFullAccess
- AmazonS3ReadOnlyAccess
- AmazonGlacierReadOnlyAccess
To attach these six policies to Alice, click Users in the left pane of the console.
Next, select Alice from the list of users.
Next, click Attach Policy in the Permissions section. You will see a list of managed policies in your account.
Select the check box next to AmazonDynamoDBFullAccess. If you are unable to find it in the list, you can use the Search field at the top of the managed policies table. Repeat this step for AmazonRDSFullAccess, AmazonElastiCacheFullAccess, AmazonGlacierReadOnlyAccess, AmazonRedshiftFullAccess, and AmazonS3ReadOnlyAccess.
Finally, click Attach Policy in the lower left corner of the Attach Policy section. This will bring you back to Alice’s detail page. From this page you can see that she has access to DynamoDB, RDS, ElastiCache, Glacier, Redshift, and S3. If you find that she needs access to another service, complete these same steps to attach another managed policy.
To get started attaching managed policies, sign in to the IAM console. You can find more-detailed information by visiting Managed Policies and Inline Policies. We look forward to hearing how you are using this functionality and the ways we can improve it. You can post comments below, or visit the IAM forum for both comments and questions about managed policies.
– Brigid