Bird
Raised Fist0
AWScloud~10 mins

Managed vs inline policies in AWS - Visual Side-by-Side Comparison

Choose your learning style10 modes available
LearnWhyDeepVisualTryChallengeProjectRecallTime

Start learning this pattern below

Jump into concepts and practice - no test required

or
Recommended
Test this pattern10 questions across easy, medium, and hard to know if this pattern is strong
Process Flow - Managed vs inline policies
Start: Need to assign permissions
Choose policy type
Managed Policy
Attach to user/group/role
Permissions applied to identity
Use AWS resources with permissions
This flow shows choosing between managed and inline policies, attaching them to identities, and applying permissions.
Execution Sample
AWS
1. Create managed policy
2. Attach managed policy to user
3. Create inline policy
4. Attach inline policy to user
5. User gets permissions from both
This sequence shows creating and attaching managed and inline policies to a user to grant permissions.
Process Table
StepActionPolicy TypeAttachment TargetEffect on User Permissions
1Create policy 'ReadOnlyAccess'ManagedNoneNo effect yet
2Attach 'ReadOnlyAccess' to user AliceManagedUser AliceAlice gains ReadOnlyAccess permissions
3Create inline policy 'CustomWriteAccess' for AliceInlineUser AliceNo effect yet
4Attach inline policy 'CustomWriteAccess' to AliceInlineUser AliceAlice gains CustomWriteAccess permissions
5User Alice tries to read S3 bucketBothUser AliceAllowed by ReadOnlyAccess managed policy
6User Alice tries to write to S3 bucketBothUser AliceAllowed by CustomWriteAccess inline policy
7Detach managed policy from AliceManagedUser AliceAlice loses ReadOnlyAccess permissions
8User Alice tries to read S3 bucketInline onlyUser AliceDenied (no managed policy)
9Delete inline policy from AliceInlineUser AliceAlice loses CustomWriteAccess permissions
10User Alice tries to write to S3 bucketNo policiesUser AliceDenied (no permissions)
💡 Execution stops after all policies are detached and user has no permissions.
Status Tracker
VariableStartAfter Step 2After Step 4After Step 7After Step 9Final
User Alice PermissionsNoneReadOnlyAccessReadOnlyAccess + CustomWriteAccessCustomWriteAccessNoneNone
Key Moments - 3 Insights
Why does Alice lose read permissions after detaching the managed policy?
Because the managed policy 'ReadOnlyAccess' was the source of read permissions. After step 7 in the execution_table, detaching it removes those permissions.
Can inline policies be shared across multiple users?
No, inline policies are embedded directly in a single user, group, or role. This is shown in step 3 and 4 where the inline policy is created and attached only to Alice.
What happens if both managed and inline policies grant permissions?
Permissions are combined. In step 6, Alice can write because the inline policy grants write access, while managed policy grants read access.
Visual Quiz - 3 Questions
Test your understanding
Look at the execution_table, what permissions does Alice have after step 4?
AOnly ReadOnlyAccess
BOnly CustomWriteAccess
CBoth ReadOnlyAccess and CustomWriteAccess
DNo permissions
💡 Hint
Check the 'Effect on User Permissions' column at step 4.
At which step does Alice lose all permissions?
AStep 9
BStep 10
CStep 7
DStep 8
💡 Hint
Look for when both managed and inline policies are detached and user is denied permissions.
If the inline policy was never attached, what would Alice's permissions be after step 2?
ANo permissions
BOnly ReadOnlyAccess
COnly CustomWriteAccess
DBoth ReadOnlyAccess and CustomWriteAccess
💡 Hint
Refer to step 2 where only the managed policy is attached.
Concept Snapshot
Managed vs Inline Policies:
- Managed policies are standalone and reusable.
- Inline policies are embedded in one identity.
- Attach managed or inline policies to users/groups/roles.
- Permissions from both combine.
- Detaching removes permissions granted by that policy.
Full Transcript
This visual execution shows how AWS managed and inline policies work. First, a managed policy is created and attached to a user, granting permissions. Then an inline policy is created and attached to the same user, adding more permissions. The user gains combined permissions from both. When the managed policy is detached, the user loses those permissions but keeps inline policy permissions. Finally, removing the inline policy leaves the user with no permissions. This demonstrates how managed policies are reusable and separate, while inline policies are embedded and specific to one identity.

Practice

(1/5)
1. Which statement best describes an AWS managed policy?
easy
A. A policy that cannot be changed once created.
B. A policy embedded directly into a single user, group, or role.
C. A reusable permission set that can be attached to multiple users, groups, or roles.
D. A policy that only applies to AWS services, not users.

Solution

  1. Step 1: Understand managed policy characteristics

    Managed policies are standalone and reusable permission sets in AWS.

  2. Step 2: Compare with inline policies

    Inline policies are embedded directly into one user, group, or role, unlike managed policies.

  3. Final Answer:

    A reusable permission set that can be attached to multiple users, groups, or roles. -> Option C

  4. Quick Check:

    Managed policy = reusable permission set [OK]
Hint: Managed = reusable; Inline = embedded [OK]
Common Mistakes:
  • Confusing inline policies as reusable
  • Thinking managed policies are fixed and unchangeable
  • Assuming managed policies apply only to services
2. Which of the following is the correct way to attach an inline policy to a user in AWS IAM?
easy
A. AttachPolicy(userName, policyArn)
B. PutUserPolicy(userName, policyName, policyDocument)
C. AttachUserPolicy(userName, policyName)
D. CreateInlinePolicy(policyDocument)

Solution

  1. Step 1: Identify AWS IAM API for inline policies

    The correct API to attach an inline policy to a user is PutUserPolicy, which requires user name, policy name, and policy document.

  2. Step 2: Eliminate incorrect options

    AttachPolicy and AttachUserPolicy are not valid AWS IAM API calls for inline policies. CreateInlinePolicy is not a valid standalone call.

  3. Final Answer:

    PutUserPolicy(userName, policyName, policyDocument) -> Option B

  4. Quick Check:

    Inline policy attachment uses PutUserPolicy [OK]
Hint: Inline policies use PutUserPolicy API [OK]
Common Mistakes:
  • Using AttachPolicy which is for managed policies
  • Confusing policy ARN with inline policy document
  • Trying to create inline policy without specifying user
3. Given the following scenario: A user has both an inline policy allowing S3 read access and a managed policy denying S3 access. What is the effective permission for S3 access?
medium
A. The user cannot read S3 because explicit deny in managed policy overrides allow.
B. The user cannot read S3 because inline policies are ignored when managed policies exist.
C. The user can read S3 because managed policies are ignored if inline policies exist.
D. The user can read S3 because inline policies override managed policies.

Solution

  1. Step 1: Understand AWS policy evaluation logic

    AWS evaluates all policies together. Explicit deny in any policy overrides any allow.

  2. Step 2: Apply to scenario

    The managed policy denies S3 access explicitly, so even though inline policy allows it, deny takes precedence.

  3. Final Answer:

    The user cannot read S3 because explicit deny in managed policy overrides allow. -> Option A

  4. Quick Check:

    Explicit deny always overrides allow [OK]
Hint: Explicit deny beats allow, regardless of policy type [OK]
Common Mistakes:
  • Thinking inline policies override managed policies
  • Assuming allow always wins
  • Ignoring explicit deny rules
4. You created an inline policy for a role but it is not granting the expected permissions. What is the most likely cause?
medium
A. The inline policy JSON syntax is invalid.
B. The role already has a managed policy attached with higher priority.
C. Inline policies cannot be attached to roles.
D. The inline policy name conflicts with an existing managed policy.

Solution

  1. Step 1: Verify inline policy attachment rules

    Inline policies can be attached to roles, so Inline policies cannot be attached to roles. is incorrect.

  2. Step 2: Check common issues with inline policies

    Invalid JSON syntax in the inline policy will prevent permissions from applying correctly.

  3. Step 3: Understand policy priority

    Managed and inline policies are evaluated together; no priority overrides permissions except explicit deny.

  4. Final Answer:

    The inline policy JSON syntax is invalid. -> Option A

  5. Quick Check:

    Invalid JSON breaks policy effect [OK]
Hint: Check JSON syntax first for inline policy issues [OK]
Common Mistakes:
  • Assuming inline policies can't attach to roles
  • Thinking managed policies override inline by priority
  • Confusing policy names causing conflicts
5. You manage a team where multiple users need the same permissions to access DynamoDB. You also have one user who needs a unique permission set. What is the best approach to assign policies?
hard
A. Use only managed policies for all users, including the unique one.
B. Create inline policies for all users to keep permissions separate.
C. Attach the same inline policy to all users and add extra inline policies for the unique user.
D. Create a managed policy for the common permissions and attach it to all users; create an inline policy for the unique user.

Solution

  1. Step 1: Identify best practice for shared permissions

    Managed policies are reusable and ideal for common permissions shared by multiple users.

  2. Step 2: Handle unique permissions

    Inline policies are best for unique, one-off permissions tied to a single user.

  3. Step 3: Combine approaches for efficiency and clarity

    Use managed policy for the team and inline policy for the unique user to avoid duplication and ease management.

  4. Final Answer:

    Create a managed policy for the common permissions and attach it to all users; create an inline policy for the unique user. -> Option D

  5. Quick Check:

    Managed for shared, inline for unique [OK]
Hint: Managed for many users, inline for one user [OK]
Common Mistakes:
  • Using inline policies for all users causing duplication
  • Using only managed policies losing unique control
  • Attaching same inline policy to multiple users