IAM Policy ARN — Managed Policy References
Parse an IAM policy ARN to understand managed policy identification. Covers the difference between AWS-managed and customer-managed policies, and policy versioning.
Detailed Explanation
IAM Policy ARN Anatomy
IAM managed policies have ARNs that indicate whether they are AWS-managed (created by AWS) or customer-managed (created by you). The key difference is the account ID field.
AWS-Managed Policy Example
arn:aws:iam::aws:policy/ReadOnlyAccess
Customer-Managed Policy Example
arn:aws:iam::123456789012:policy/custom/MyAppPolicy
Parsed Components (Customer-Managed)
| Component | Value |
|---|---|
| Partition | aws |
| Service | iam |
| Region | (empty) |
| Account ID | 123456789012 |
| Resource Type | policy |
| Resource ID | custom/MyAppPolicy |
AWS-Managed vs. Customer-Managed
The most visible difference is the account ID field: AWS-managed policies use the literal string aws as the account ID, while customer-managed policies use your 12-digit account number. AWS-managed policies like AdministratorAccess, ReadOnlyAccess, and PowerUserAccess are maintained by AWS and available in all accounts.
Policy Paths
Like users and roles, policies can have paths. In the example custom/MyAppPolicy, the path custom/ groups related policies. This is useful for organizing policies by application, team, or environment.
Policy Versions
While the ARN identifies the policy itself, each policy can have up to five versions. The ARN always points to the policy — to reference a specific version, you use the version ID (v1, v2, etc.) in API calls rather than in the ARN.
Use Case
Attaching managed policies to IAM roles in CloudFormation or Terraform templates. The policy ARN is the primary reference used in AttachRolePolicy API calls and ManagedPolicyArns properties in infrastructure-as-code definitions.