Organizing AWS IAM permissions: limit of 10 policies?

Question

I'm trying to polish the organization of my IAM roles in Amazon and their access to permissions.

I have groups, with policies attached, which map to groups within my company. I have reached the 10-policy limit on some groups.

So, users have a 10-policy limit, and a 10-group limit. If I want to keep things tidy, I can't start creating groups just for the sake of bundling unrelated policies together to try and keep everything under the limit of 10.

How is one supposed to organize permissions?

Answer 1

There is a trick and you can enjoy 100 policies per user. The hierarchy is this:

Attach 10 Policies to --> User Groups

Attach 10 User Groups to --> Users

This way you can achieve 100 polices attached. This may not be suitable for all use cases. But if you just need policies to be attached, this is the best trick.

Answer 2

You cannot increase the amount of policies per group.

Therefore, consolidating the policies into a customer managed policy seems to be the only option.

Answer 3

Two options:

1. Create a customer-managed policy that consolidates the access the user(s) need [Recommended]

2. Request that AWS raise its 10 managed policies attached to role limit for your account at the link below. That is a soft limit which you can request to be increased. Note that roles attached to groups are hard limits and cannot be increased. https://docs.aws.amazon.com/general/latest/gr/aws_service_limits.html