concept manage Policies in category aws
This is an excerpt from Manning's book AWS Security MEAP V03.
This example illustrates two of the basic concepts of IAM, Users and Policies. Securing logical access to your AWS resources through IAM will require you to be very familiar with these concepts as well as others like Roles and Managed Policies. Chapter 2 will expand on these concepts to show you how to make managing IAM controls easier and more secure.
Figure 2.3 Inline Policies vs Managed Policies vs Groups for three users and two policies
You could create a best practice that bans the use of AWS Managed Policies. Whether this is a good idea depends on the needs of your organization. The key point to think about is how much security value is being added, versus how much convenience is lost. However, most of these factors are highly dependent on your situation. For example, we said that it's more work to create your own policy. But what if you're attaching the same policy to a very large number of users. In that case, on a per-user basis, it really isn't much additional work. For these reasons, quantifying security value and convenience is difficult, but we can make some comparisons. Relative to banning policy wildcards, banning AWS Managed Policies tends to provide less security value, as at least the policies are written by AWS and they usually do what you would expect. They are also typically scoped-down for common use cases. In terms of convenience, the Managed Policies provide more value as you don't even need to write a policy at all. Table 3.4 below summarizes the major pros and cons of banning managed policies.
Table 3.4 Summary of Banning AWS Managed Policies as a Best Practice
Security Benefits of Banning Managed Policies
Convenience Costs of Banning Managed Policies
Reduces the risk of excessive permissions.
It takes additional time to write a custom policy rather than using one already written by AWS.
Managed policies are broad, and don't always map exactly the permissions that are needed.
Mistakes are more likely to happen if you have to write your own policy.
Custom policies will need to be updated when AWS services make updates, whereas the AWS Managed Policies are updated automatically.
Custom policies add more resources that you need to review.