Skip to main content
IAM Policy Versioning

IAM Policy Versioning

·2 mins· loading ·
AWS IAM Security
Pubudu Jayawardana
Author
Pubudu Jayawardana
Cloud Engineer, AWS Community Builder
Table of Contents

IAM Policy version is a useful feature in IAM when try to identify the correct access rights for a particular policy and switch between the changes applied to the policies.

Please Note: Policy versions are not available for inline policies.

When you update a particular customer manage policy, AWS will not over-write the existing policy. But new version is created and set as the default version.

Using AWS Console
#

Image: Policy versions listing for a single IAM Policy

If you navigate to IAM > Policies and select Customer Manage Policy and select a specific policy. Under Policy versions, you may see different versions as per your modifications to the policy document. If this is a fresh policy where you did not do any modifications, still Version 1 can be seen which set as the Default version.

Here, you can set the default version to a previous versions easily. Or you can delete previous versions.

Please Note: Currently, only maximum 5 versions are allowed.

Even in the AWS Managed Policies, you may see the Policy versions as and when AWS updated them. However you cannot delete the versions or specify the Default version (This is obvious as AWS manage those policies)

Using AWS CLI
#

Using AWS CLI, you can retrieve the same information of policy versions using list-policy-versions command as below:

aws iam list-policy-versions --policy-arn arn:aws:iam::xxxxxxxx:policy/lambda_execute

This will output below result which contains created date, version id and default version flag.

{
    "Versions": [
        {
            "CreateDate": "2019-03-04T10:48:30Z", 
            "VersionId": "v5", 
            "IsDefaultVersion": true
        }, 
        {
            "CreateDate": "2019-03-04T10:46:13Z", 
            "VersionId": "v4", 
            "IsDefaultVersion": false
        }, 
        {
            "CreateDate": "2019-03-04T10:44:14Z", 
            "VersionId": "v3", 
            "IsDefaultVersion": false
        }, 
        {
            "CreateDate": "2019-03-03T23:59:49Z", 
            "VersionId": "v2", 
            "IsDefaultVersion": false
        }, 
        {
            "CreateDate": "2019-03-03T23:56:17Z", 
            "VersionId": "v1", 
            "IsDefaultVersion": false
        }
    ]
}

Also, you can set the default or effective version for a policy using set-default-policy-version command providing the version you need to set as default.

aws iam set-default-policy-version --policy-arn arn:aws:iam::xxxxxxxxxx:policy/lambda_execute --version-id v2

Here, the policy lambda_execute will be revert to v2. There won’t be any output here, but you can verify the result using the list-policy-versions command as described above.

Related

Understanding Lambda Concurrency
·3 mins· loading
AWS Serverless Lambda Concurrency
This blog post explains the behaviour of Lambda when they run simultaneously.