For AWS IAM Policies, Prefer Managed Policies over Inline Policies
Overview
I looked into the difference between managed policies and inline policies for IAM policies, and which one you should use.
Conclusion: Avoid Inline Policies and Actively Use Managed Policies
Managed Policies and Inline Policies
If you look at the “Comparison of managed policies and inline policies” section in the AWS documentation linked above, the benefits of using managed policies become clear.
We recommend that you use managed policies instead of inline policies.
Managed policies provide the following features:
- Reusability
- Central change management
- Versioning and rollback
- Delegating permissions management
- Automatic updates for AWS managed policies
Thinking Like Terraform
If you think about the resources you need from Terraform’s perspective, you end up with the following:
Managed policy
- aws_iam_policy
- aws_iam_user_policy_attachment
Inline policy
- aws_iam_user_policy
Example) Managed Policy
1 | # IAM User |
Example) Inline Policy
1 | # IAM User |
Summary
The next time you get a chance to review a Terraform project and you spot an aws_iam_user_policy, by all means narrow your eyes and hold forth about “the superiority of managed policies…” while linking to the AWS documentation.
That’s all.
I hope you find this helpful.
For AWS IAM Policies, Prefer Managed Policies over Inline Policies
https://kenzo0107.github.io/en/2020/07/02/aws-iam-policy-managed-or-inline/