28

I'm trying to polish the organization of my IAM roles in Amazon and their access to permissions.

I have groups, with policies attached, which map to groups within my company. I have reached the 10-policy limit on some groups.

So, users have a 10-policy limit, and a 10-group limit. If I want to keep things tidy, I can't start creating groups just for the sake of bundling unrelated policies together to try and keep everything under the limit of 10.

How is one supposed to organize permissions?

salezica
  • 74,081
  • 25
  • 105
  • 166

2 Answers2

21

Two options:

  1. Create a customer-managed policy that consolidates the access the user(s) need [Recommended]

  2. Request that AWS raise its 10 managed policies attached to role limit for your account at the link below. That is a soft limit which you can request to be increased. Note that roles attached to groups are hard limits and cannot be increased. https://docs.aws.amazon.com/general/latest/gr/aws_service_limits.html

Asclepius
  • 57,944
  • 17
  • 167
  • 143
  • I was thinking of implementing the first option but I have created the policy group and attached all the roles to it and it started complaining about the access issues that will be solved once we add the policy. Is there anything I am missing? – talkdatatome Mar 23 '20 at 22:43
  • @ramyar-jafarkhani but not all users have the same access. And also permissions for a user can change over time which can apply for multiple users at once. So if we create specific permission policy for each user, it will become difficult to manage and update. – Sahil May 08 '20 at 07:18
  • 6
    "Note that roles attached to groups are hard limits and cannot be increased." roles cannot be attached to groups, this sentence does not make sense – danielpops Apr 14 '21 at 23:02
0

You cannot increase the amount of policies per group.

Therefore, consolidating the policies into a customer managed policy seems to be the only option.

John Rotenstein
  • 241,921
  • 22
  • 380
  • 470
tykom
  • 35
  • 9