Getting started with managed policies - Amazon Identity and Access Management
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Getting started with managed policies

We recommend using policies that grant least privilege, or granting only the permissions required to perform a task. The most secure way to grant least privilege is to write a customer managed policy with only the permissions needed by your team. You must create a process to allow your team to request more permissions when necessary. It takes time and expertise to create IAM customer managed policies that provide your team with only the permissions they need.

To get started adding permissions to your IAM identities (users, groups of users, and roles), you can use Amazon managed policies. Amazon managed policies don't grant least privilege permissions. You must consider the security risk of granting your principals more permissions than they need to do their job.

You can attach Amazon managed policies, including job functions, to any IAM identity. For more information, see Adding and removing IAM identity permissions.

To switch to least privilege permissions, you can run Amazon Identity and Access Management Access Analyzer to monitor the principals with Amazon managed policies. After learning which permissions they are using, then you can write or generate a customer managed policy with only the required permissions for your team. This is less secure, but provides more flexibility as you learn how your team is using Amazon. For more information, see IAM Access Analyzer policy generation.

Amazon managed policies are designed to provide permissions for many common use cases. For more information about Amazon managed policies that are designed for specific job functions, see Amazon managed policies for job functions.

For a list of Amazon managed policies, see Amazon Managed Policy Reference Guide.