amazon-web-servicesaws-lambdaaws-samaws-policies

Difference between AWS::IAM::Policy and AWS::IAM::ManagedPolicy


I have more than 10 lambdas. I am managing the infrastructure using sam template. I have defined Function resources for these lambdas. There are some common permissions required by these lambdas - cloudwatch, xray. Each lambda again require it's own specific permissions. Like Lambda1 might require permission for S3, Lambda2 for ParameterStore.

So, to manage these permissions for the lambdas, I have decided to create inline policy along each Function resource with specific permissions. And define a Policy Resource with common permissions for all lambdas and refer that in each inline lambda policy.

When I am defining the separate Policy Resource, I am confused to use Type either AWS::IAM::Policy or AWS::IAM::ManagedPolicy. What is the difference between two? What is useful in my use case?

And also please suggest how can I refer this Policy Resource in inline policy of each lambda.


Solution

  • When we define policy as

    AWS::IAM::Policy it is required to associate it with any user/role

    AWS::IAM::ManagedPolicy it is not required to do so here