Fork me on GitHub

So I just discovered that AWS roles have a limit of 10/20 managed policies attached. So I guess that many fine-grained policies is a dead end, and instead I should use fewer coarse-grained policies (or even a single policy file). For example, a single policy that deals with all S3 buckets etc that can be accessed, rather than one-policy-per-bucket. Is that correct or am I missing something?

Leaf Garland08:05:48

Look at resource based policies? e.g. attach your policies to the buckets, instead of to the identities.


Thanks, I didn't know those existed. Might solve some (but not all) cases for services that do support them.


How do you manage your policies? If you’re using something like terraform, in my experience there’s little benefit to managed policies, since in your tf code there’s not much of a difference between a managed policy and a bunch of inline policies that use the same text that comes out of a single file


I practice ClickOps :) Terraform or something like it is on the way some time this year.


AWS managed policies are good because they get updated by AWS as services evolve. We need some of them for eg ElasticBeanstalk.