Bird
Raised Fist0
AWScloud~5 mins

Managed vs inline policies in AWS - Quick Revision & Key Differences

Choose your learning style10 modes available
LearnWhyDeepVisualTryChallengeProjectRecallTime

Start learning this pattern below

Jump into concepts and practice - no test required

or
Recommended
Test this pattern10 questions across easy, medium, and hard to know if this pattern is strong
Recall & Review
beginner
What is a managed policy in AWS IAM?
A managed policy is a standalone policy that you can attach to multiple users, groups, or roles. It is created and managed independently from the identities it is attached to.
Click to reveal answer
beginner
What is an inline policy in AWS IAM?
An inline policy is a policy that is embedded directly into a single user, group, or role. It exists only as part of that identity and cannot be reused elsewhere.
Click to reveal answer
beginner
Which policy type is easier to reuse across multiple identities: managed or inline?
Managed policies are easier to reuse because they are standalone and can be attached to many users, groups, or roles.
Click to reveal answer
intermediate
What happens to an inline policy if the user or role it is attached to is deleted?
The inline policy is deleted along with the user or role because it is embedded directly in that identity.
Click to reveal answer
intermediate
Why might you choose an inline policy over a managed policy?
You might choose an inline policy when you want a policy that is tightly coupled to a single identity and should be deleted if that identity is removed, ensuring no leftover permissions.
Click to reveal answer
Which AWS policy type can be attached to multiple users, groups, or roles?
AManaged policy
BInline policy
CBoth managed and inline policies
DNeither managed nor inline policies
What happens to an inline policy when the user it is attached to is deleted?
AIt is deleted along with the user
BIt is converted to a managed policy
CIt remains in AWS and can be reused
DIt is archived automatically
Which policy type is best for reusing the same permissions across many identities?
ATemporary policy
BInline policy
CManaged policy
DSession policy
If you want a policy that is tightly linked to a single user and deleted with it, which policy should you use?
AManaged policy
BResource policy
CService control policy
DInline policy
Which of the following is NOT a characteristic of managed policies?
ACan be attached to multiple identities
BDeleted automatically when a user is deleted
CEasier to maintain and update centrally
DCreated independently from users or roles
Explain the main differences between managed and inline policies in AWS IAM.
Think about how each policy is attached and what happens when the user or role is removed.
You got /4 concepts.
    Describe a scenario where using an inline policy is more appropriate than a managed policy.
    Consider when you want to keep permissions very specific and temporary.
    You got /3 concepts.

      Practice

      (1/5)
      1. Which statement best describes an AWS managed policy?
      easy
      A. A policy that cannot be changed once created.
      B. A policy embedded directly into a single user, group, or role.
      C. A reusable permission set that can be attached to multiple users, groups, or roles.
      D. A policy that only applies to AWS services, not users.

      Solution

      1. Step 1: Understand managed policy characteristics

        Managed policies are standalone and reusable permission sets in AWS.

      2. Step 2: Compare with inline policies

        Inline policies are embedded directly into one user, group, or role, unlike managed policies.

      3. Final Answer:

        A reusable permission set that can be attached to multiple users, groups, or roles. -> Option C

      4. Quick Check:

        Managed policy = reusable permission set [OK]
      Hint: Managed = reusable; Inline = embedded [OK]
      Common Mistakes:
      • Confusing inline policies as reusable
      • Thinking managed policies are fixed and unchangeable
      • Assuming managed policies apply only to services
      2. Which of the following is the correct way to attach an inline policy to a user in AWS IAM?
      easy
      A. AttachPolicy(userName, policyArn)
      B. PutUserPolicy(userName, policyName, policyDocument)
      C. AttachUserPolicy(userName, policyName)
      D. CreateInlinePolicy(policyDocument)

      Solution

      1. Step 1: Identify AWS IAM API for inline policies

        The correct API to attach an inline policy to a user is PutUserPolicy, which requires user name, policy name, and policy document.

      2. Step 2: Eliminate incorrect options

        AttachPolicy and AttachUserPolicy are not valid AWS IAM API calls for inline policies. CreateInlinePolicy is not a valid standalone call.

      3. Final Answer:

        PutUserPolicy(userName, policyName, policyDocument) -> Option B

      4. Quick Check:

        Inline policy attachment uses PutUserPolicy [OK]
      Hint: Inline policies use PutUserPolicy API [OK]
      Common Mistakes:
      • Using AttachPolicy which is for managed policies
      • Confusing policy ARN with inline policy document
      • Trying to create inline policy without specifying user
      3. Given the following scenario: A user has both an inline policy allowing S3 read access and a managed policy denying S3 access. What is the effective permission for S3 access?
      medium
      A. The user cannot read S3 because explicit deny in managed policy overrides allow.
      B. The user cannot read S3 because inline policies are ignored when managed policies exist.
      C. The user can read S3 because managed policies are ignored if inline policies exist.
      D. The user can read S3 because inline policies override managed policies.

      Solution

      1. Step 1: Understand AWS policy evaluation logic

        AWS evaluates all policies together. Explicit deny in any policy overrides any allow.

      2. Step 2: Apply to scenario

        The managed policy denies S3 access explicitly, so even though inline policy allows it, deny takes precedence.

      3. Final Answer:

        The user cannot read S3 because explicit deny in managed policy overrides allow. -> Option A

      4. Quick Check:

        Explicit deny always overrides allow [OK]
      Hint: Explicit deny beats allow, regardless of policy type [OK]
      Common Mistakes:
      • Thinking inline policies override managed policies
      • Assuming allow always wins
      • Ignoring explicit deny rules
      4. You created an inline policy for a role but it is not granting the expected permissions. What is the most likely cause?
      medium
      A. The inline policy JSON syntax is invalid.
      B. The role already has a managed policy attached with higher priority.
      C. Inline policies cannot be attached to roles.
      D. The inline policy name conflicts with an existing managed policy.

      Solution

      1. Step 1: Verify inline policy attachment rules

        Inline policies can be attached to roles, so Inline policies cannot be attached to roles. is incorrect.

      2. Step 2: Check common issues with inline policies

        Invalid JSON syntax in the inline policy will prevent permissions from applying correctly.

      3. Step 3: Understand policy priority

        Managed and inline policies are evaluated together; no priority overrides permissions except explicit deny.

      4. Final Answer:

        The inline policy JSON syntax is invalid. -> Option A

      5. Quick Check:

        Invalid JSON breaks policy effect [OK]
      Hint: Check JSON syntax first for inline policy issues [OK]
      Common Mistakes:
      • Assuming inline policies can't attach to roles
      • Thinking managed policies override inline by priority
      • Confusing policy names causing conflicts
      5. You manage a team where multiple users need the same permissions to access DynamoDB. You also have one user who needs a unique permission set. What is the best approach to assign policies?
      hard
      A. Use only managed policies for all users, including the unique one.
      B. Create inline policies for all users to keep permissions separate.
      C. Attach the same inline policy to all users and add extra inline policies for the unique user.
      D. Create a managed policy for the common permissions and attach it to all users; create an inline policy for the unique user.

      Solution

      1. Step 1: Identify best practice for shared permissions

        Managed policies are reusable and ideal for common permissions shared by multiple users.

      2. Step 2: Handle unique permissions

        Inline policies are best for unique, one-off permissions tied to a single user.

      3. Step 3: Combine approaches for efficiency and clarity

        Use managed policy for the team and inline policy for the unique user to avoid duplication and ease management.

      4. Final Answer:

        Create a managed policy for the common permissions and attach it to all users; create an inline policy for the unique user. -> Option D

      5. Quick Check:

        Managed for shared, inline for unique [OK]
      Hint: Managed for many users, inline for one user [OK]
      Common Mistakes:
      • Using inline policies for all users causing duplication
      • Using only managed policies losing unique control
      • Attaching same inline policy to multiple users