0
0
AWScloud~5 mins

Managed vs inline policies in AWS - CLI Comparison

Choose your learning style9 modes available
LearnWhyDeepVisualTryChallengeProjectRecallTime
Introduction
When you control who can do what in your cloud account, you use policies. Managed policies are reusable and shared, while inline policies are attached directly to one user or role. This helps organize permissions clearly and safely.
When you want to give the same permissions to many users or roles without repeating the policy each time.
When you need a quick, one-off permission set for a single user or role that won't be reused.
When you want to update permissions in one place and have all users using that policy get the update automatically.
When you want to keep permissions tightly bound to a specific user or role for security reasons.
When you want to track exactly which permissions belong to which user or role without sharing.
Commands
This command creates a managed policy named ExampleManagedPolicy that allows listing all S3 buckets. Managed policies can be attached to multiple users or roles.
Terminal
aws iam create-policy --policy-name ExampleManagedPolicy --policy-document '{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Action":"s3:ListBucket","Resource":"*"}]}'
Expected OutputExpected
{"Policy":{"PolicyName":"ExampleManagedPolicy","Arn":"arn:aws:iam::123456789012:policy/ExampleManagedPolicy","DefaultVersionId":"v1","AttachmentCount":0,"IsAttachable":true,"CreateDate":"2024-06-01T12:00:00Z","UpdateDate":"2024-06-01T12:00:00Z"}}
--policy-name - Sets the name of the managed policy.
--policy-document - Defines the permissions in JSON format.
This command attaches the managed policy to a user named example-user, giving them the permissions defined in the managed policy.
Terminal
aws iam attach-user-policy --user-name example-user --policy-arn arn:aws:iam::123456789012:policy/ExampleManagedPolicy
Expected OutputExpected
No output (command runs silently)
--user-name - Specifies the user to attach the policy to.
--policy-arn - Specifies the ARN of the managed policy to attach.
This command creates an inline policy named ExampleInlinePolicy directly attached to example-user, allowing them to get objects from a specific S3 bucket.
Terminal
aws iam put-user-policy --user-name example-user --policy-name ExampleInlinePolicy --policy-document '{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Action":"s3:GetObject","Resource":"arn:aws:s3:::example-bucket/*"}]}'
Expected OutputExpected
No output (command runs silently)
--user-name - Specifies the user to attach the inline policy to.
--policy-name - Names the inline policy.
--policy-document - Defines the permissions in JSON format.
This command lists all inline policies attached to example-user, showing the names of inline policies directly attached.
Terminal
aws iam list-user-policies --user-name example-user
Expected OutputExpected
{"PolicyNames":["ExampleInlinePolicy"]}
--user-name - Specifies the user whose inline policies to list.
This command lists all managed policies attached to example-user, showing the ARNs and names of managed policies.
Terminal
aws iam list-attached-user-policies --user-name example-user
Expected OutputExpected
{"AttachedPolicies":[{"PolicyName":"ExampleManagedPolicy","PolicyArn":"arn:aws:iam::123456789012:policy/ExampleManagedPolicy"}]}
--user-name - Specifies the user whose managed policies to list.
Key Concept

If you remember nothing else from this pattern, remember: managed policies are reusable and shared, while inline policies are unique and attached directly to one user or role.

Common Mistakes
Trying to reuse inline policies by attaching them to multiple users.
Inline policies cannot be shared; they belong only to one user or role.
Use managed policies when you want to share permissions across multiple users or roles.
Updating a managed policy but forgetting that users have inline policies with conflicting permissions.
Inline policies are separate and do not update automatically with managed policies, causing permission conflicts.
Keep permissions consistent by using managed policies for shared permissions and inline policies only for unique cases.
Deleting a user without removing inline policies first.
Inline policies are deleted automatically with the user, but managed policies remain and can cause confusion if not detached.
Detach managed policies before deleting users and know that inline policies are removed with the user.
Summary
Create managed policies to reuse permission sets across many users or roles.
Attach managed policies to users or roles to grant shared permissions.
Use inline policies for one-off, user-specific permissions that won't be reused.
List inline and managed policies separately to understand user permissions clearly.