Distinguish IAM managed and inline policies
📑 On this page
Part 91 of AWS from Zero. This lesson changes or inspects one IAM concept so the permission model stays understandable.
What we are learning
Managed policies are standalone reusable resources. Inline policies are embedded in one user, group, or role and share its lifecycle.
Before you run it
aws sts get-caller-identity
ACCOUNT_ID=$(aws sts get-caller-identity --query Account --output text)
USER_NAME="aws-zero-learner"
GROUP_NAME="aws-zero-readers"
ROLE_NAME="aws-zero-demo-role"IAM is global rather than regional. Use a sandbox account and a delegated administrator identity, never root access keys.
The command
aws iam list-attached-user-policies \
--user-name "$USER_NAME"
aws iam list-user-policies \
--user-name "$USER_NAME"The first command returns policy ARNs. The second returns inline policy names.
Inspect the result
aws iam list-attached-user-policies \
--user-name "$USER_NAME" \
--query "AttachedPolicies[].{Name:PolicyName,Arn:PolicyArn}" \
--output tableA complete user review needs both lists plus group memberships.
One tiny variation
aws iam list-attached-group-policies --group-name "$GROUP_NAME"
aws iam list-group-policies --group-name "$GROUP_NAME"Groups have the same managed-versus-inline distinction.
Common mistake
Do not assume inline means temporary. Inline policies can remain for years and are often harder to inventory and reuse.
Cleanup
# This lesson is read-only or reuses a named demo identity.
aws sts get-caller-identityKeep shared demo identities only while following the IAM sequence. Part 125 removes them in dependency order.
Next, we will learn List managed policies attached to an IAM user.