I have more than 10 lambdas. I am managing the infrastructure using sam template.
I have defined Function
resources for these lambdas. There are some common permissions required by these lambdas – cloudwatch, xray. Each lambda again require it’s own specific permissions.
Like Lambda1 might require permission for S3
, Lambda2 for ParameterStore
.
So, to manage these permissions for the lambdas, I have decided to create inline policy along each Function
resource with specific permissions. And define a Policy Resource with common permissions for all lambdas and refer that in each inline lambda policy.
When I am defining the separate Policy Resource, I am confused to use Type
either AWS::IAM::Policy
or AWS::IAM::ManagedPolicy
. What is the difference between two? What is useful in my use case?
And also please suggest how can I refer this Policy Resource in inline policy of each lambda.
2
Answers
When we define policy as
AWS::IAM::Policy
it is required to associate it with any user/roleAWS::IAM::ManagedPolicy
it is not required to do so hereAWS::IAM::ManagedPolicy is managed and provided by AWS and AWS::IAM::Policy is something you create
For example There is ManagedPolicy named AmazonSSMManagedInstanceCore
Which is an AWS managed policy which is readily availlable for use.Likewise there are number of ManagedPolicies for common usescases provided by AWS