AWS Managed Policy Vs Policy

Question

Can someone explain to me the difference between an AWS Policy and an AWS Managed Policy in the context of Cloud Formation?

More specifically, I'm trying to define an auto scaling template where:

1. Each instance in an auto scale configuration is assigned an IAM Instance Role that has a policy.
2. The same policy is applied to the user when they try and access these instances.

I'm trying to keep duplication to a minimum and it seems like I may be able to achieve it via a Policy linked to a role, and group of users. The role can then be associated with EC2 Instance via instance profile and users can be added to the groups which in turn are assigned the policy.

Why and under what circumstances would one use a ManagedPolicy?

Thank you for your assistance.

EDIT: It seems like Role requires a policy document irrespective. So even having a separate policy won't really help? Or am I missing something?

Answer 1

AWS::IAM::Role only requires a trust policy. The Policy/Managed Policy can be defined separately.

The difference between AWS::IAM::ManagedPolicy and AWS::IAM::Policy is that AWS::IAM::ManagedPolicy does not require you to assign a Group, Role or User when defining it. AWS::IAM::Policy does. In your use case, you're probably fine using AWS::IAM::Policy.

Answer 2

If I may add, testing Policy creation using CDK v2.12.0, groups, users or roles are not required. iam.ManagedPolicy creates a policy you can share, iam.Policy is created as an inline policy.

new iam.Policy(this, 'testPolicy2', {
   statements: policyDocs,
   //groups: [s3UserGroup],
  policyName: 'testPolicy2'
})

new iam.ManagedPolicy(this, 'testPolicy3', {
   statements: policyDocs,
   //groups: [s3UserGroup],
   managedPolicyName: 'testPolicy3'
})