Read this if you ever had challenges with AWS Managed Policies

If you are building in AWS, you know the drill: at some point, that IAM Policy that is way too relaxed needs to be hammered down into something that respects The Principle of Least Privilege. But that’s tough.

That’s why AWS offers AWS managed policies. An AWS managed policy is a standalone policy that is created and administered by AWS. Standalone policy means that the policy has its own Amazon Resource Name (ARN) that includes the policy name. For example, arn:aws:iam::aws:policy/IAMReadOnlyAccess is an AWS managed policy. It is a best practice to use these AWS managed policies whenever you can, just because it removes some responsibilities from your plate. It doesn’t come without challenges, however.

Have you ever read about the deprecation process of AWS managed policies? It states that it can, and will, make changes to policies to add new statements. A usual example of that behavior is when they need to update a policy to take a new service release into consideration. However, if there is a breaking change to be made, they might deprecate policies altogether.

Another challenge is: How to pick the right AWS managed policy for what you are trying to achieve? There are lots of options and it’s hard to pick the right one. And, when you pick one, how do you know what its statements entail? Does it allow just enough? Does it block something that you need and enable access to something you don’t?

Then you Google it and find a neat list of the AWS managed policies hosted in someone’s GitHub (thanks!) but realized it was posted over 2 years ago (boo!) and isn’t sure if it is still relevant or not.

Well… Worry no more :slight_smile:

We at Skycrafters suffered from that way too much to leave it as it is, so we decided to fix it. We created our own page that is not just always updated with the latest AWS Managed Policies, but it also always have the latest version of all AWS managed policies!

You can check it out at: AWS Managed Policies - Skycrafters

Let us know what you think and what you wish was available on this page here on this topic, so we can continue building our wish list.

Wish List

  • Get notified when AWS changes a policy by email or slack (Responder may help)
  • Get notified when a policy gets added or removed by AWS
  • Get a list of all previous versions, and the statement of these previous versions - not just the latest one
  • Search in the statement (in addition to the policy name)
  • Create page per statement
  • Group statement by service (S3, IAM, etc.) - This might be tricky because many are cross-services
  • Discussion at the end of the policy page (so anyone can let the community know about the shortcomings of the policy, for instance)
1 Like