diff --git a/allowed-breaking-changes.txt b/allowed-breaking-changes.txt
index 0901892b553ff..e33478256fb7f 100644
--- a/allowed-breaking-changes.txt
+++ b/allowed-breaking-changes.txt
@@ -8,3 +8,5 @@ removed:@aws-cdk/aws-elasticloadbalancingv2.ApplicationLoadBalancer.metricIPv6Pr
 removed:@aws-cdk/aws-elasticloadbalancingv2.ApplicationLoadBalancer.metricIPv6RequestCount
 removed:@aws-cdk/aws-elasticloadbalancingv2.ApplicationTargetGroup.metricIPv6RequestCount
 removed:@aws-cdk/core.Fn.getAZs
+removed:@aws-cdk/aws-iam.UserProps.managedPolicyArns
+removed:@aws-cdk/aws-iam.GroupProps.managedPolicyArns
diff --git a/packages/@aws-cdk/aws-iam/lib/group.ts b/packages/@aws-cdk/aws-iam/lib/group.ts
index 965f453fd6ea4..066905701ee94 100644
--- a/packages/@aws-cdk/aws-iam/lib/group.ts
+++ b/packages/@aws-cdk/aws-iam/lib/group.ts
@@ -40,11 +40,13 @@ export interface GroupProps {
   readonly groupName?: string;
 
   /**
-   * A list of ARNs for managed policies associated with group.
+   * A list managed policies associated with this role.
+   *
+   * You can add managed policies later using `attachManagedPolicy(policy)`.
    *
    * @default - No managed policies.
    */
-  readonly managedPolicyArns?: any[];
+  readonly managedPolicies?: IManagedPolicy[];
 
   /**
    * The path to the group. For more information about paths, see [IAM
@@ -130,7 +132,7 @@ export class Group extends GroupBase {
       physicalName: props.groupName,
     });
 
-    this.managedPolicies.push(...props.managedPolicyArns || []);
+    this.managedPolicies.push(...props.managedPolicies || []);
 
     const group = new CfnGroup(this, 'Resource', {
       groupName: this.physicalName,
diff --git a/packages/@aws-cdk/aws-iam/lib/role.ts b/packages/@aws-cdk/aws-iam/lib/role.ts
index 25153769293fc..923d8dc41ba33 100644
--- a/packages/@aws-cdk/aws-iam/lib/role.ts
+++ b/packages/@aws-cdk/aws-iam/lib/role.ts
@@ -30,7 +30,8 @@ export interface RoleProps {
   readonly externalId?: string;
 
   /**
-   * A list of ARNs for managed policies associated with this role.
+   * A list of managed policies associated with this role.
+   *
    * You can add managed policies later using `attachManagedPolicy(arn)`.
    *
    * @default - No managed policies.
diff --git a/packages/@aws-cdk/aws-iam/lib/user.ts b/packages/@aws-cdk/aws-iam/lib/user.ts
index 465a46b32d241..dc3b9e8185bfe 100644
--- a/packages/@aws-cdk/aws-iam/lib/user.ts
+++ b/packages/@aws-cdk/aws-iam/lib/user.ts
@@ -24,12 +24,13 @@ export interface UserProps {
   readonly groups?: IGroup[];
 
   /**
-   * A list of ARNs for managed policies attacherd to this user.
-   * You can use `addManagedPolicy(arn)` to attach a managed policy to this user.
+   * A list managed policies associated with this role.
+   *
+   * You can add managed policies later using `attachManagedPolicy(policy)`.
    *
    * @default - No managed policies.
    */
-  readonly managedPolicyArns?: any[];
+  readonly managedPolicies?: IManagedPolicy[];
 
   /**
    * The path for the user name. For more information about paths, see IAM
@@ -108,6 +109,8 @@ export class User extends Resource implements IIdentity {
       physicalName: props.userName,
     });
 
+    this.managedPolicies.push(...props.managedPolicies || []);
+
     const user = new CfnUser(this, 'Resource', {
       userName: this.physicalName,
       groups: undefinedIfEmpty(() => this.groups),
diff --git a/packages/@aws-cdk/aws-iam/test/test.group.ts b/packages/@aws-cdk/aws-iam/test/test.group.ts
index 274b705a66b29..777b871877ea6 100644
--- a/packages/@aws-cdk/aws-iam/test/test.group.ts
+++ b/packages/@aws-cdk/aws-iam/test/test.group.ts
@@ -1,7 +1,7 @@
-import { expect } from '@aws-cdk/assert';
+import { expect, haveResource } from '@aws-cdk/assert';
 import { App, Stack } from '@aws-cdk/core';
 import { Test } from 'nodeunit';
-import { Group, User } from '../lib';
+import { Group, ManagedPolicy, User } from '../lib';
 
 export = {
   'default group'(test: Test) {
@@ -35,4 +35,23 @@ export = {
          Properties: { Groups: [ { Ref: 'MyGroupCBA54B1B' } ] } } } });
     test.done();
   },
+
+  'create with managed policy'(test: Test) {
+    // GIVEN
+    const stack = new Stack();
+
+    // WHEN
+    new Group(stack, 'MyGroup', {
+      managedPolicies: [ManagedPolicy.fromAwsManagedPolicyName('asdf')]
+    });
+
+    // THEN
+    expect(stack).to(haveResource('AWS::IAM::Group', {
+      ManagedPolicyArns: [
+        { "Fn::Join": [ "", [ "arn:", { Ref: "AWS::Partition" }, ":iam::aws:policy/asdf" ] ] }
+      ]
+    }));
+
+    test.done();
+  }
 };
diff --git a/packages/@aws-cdk/aws-iam/test/test.role.ts b/packages/@aws-cdk/aws-iam/test/test.role.ts
index a4375d292d666..9684c76f5d114 100644
--- a/packages/@aws-cdk/aws-iam/test/test.role.ts
+++ b/packages/@aws-cdk/aws-iam/test/test.role.ts
@@ -288,5 +288,6 @@ export = {
       Roles: [ "MyRole" ]
     }));
     test.done();
-  }
+  },
+
 };
\ No newline at end of file
diff --git a/packages/@aws-cdk/aws-iam/test/test.user.ts b/packages/@aws-cdk/aws-iam/test/test.user.ts
index 62a708605f861..818c94eea5b99 100644
--- a/packages/@aws-cdk/aws-iam/test/test.user.ts
+++ b/packages/@aws-cdk/aws-iam/test/test.user.ts
@@ -1,7 +1,7 @@
-import { expect } from '@aws-cdk/assert';
+import { expect, haveResource } from '@aws-cdk/assert';
 import { App, SecretValue, Stack } from '@aws-cdk/core';
 import { Test } from 'nodeunit';
-import { User } from '../lib';
+import { ManagedPolicy, User } from '../lib';
 
 export = {
   'default user'(test: Test) {
@@ -32,6 +32,26 @@ export = {
     const app = new App();
     const stack = new Stack(app, 'MyStack');
     test.throws(() => new User(stack, 'MyUser', { passwordResetRequired: true }));
+    test.done();
+  },
+
+  'create with managed policy'(test: Test) {
+    // GIVEN
+    const app = new App();
+    const stack = new Stack(app, 'MyStack');
+
+    // WHEN
+    new User(stack, 'MyUser', {
+      managedPolicies: [ManagedPolicy.fromAwsManagedPolicyName('asdf')]
+    });
+
+    // THEN
+    expect(stack).to(haveResource('AWS::IAM::User', {
+      ManagedPolicyArns: [
+        { "Fn::Join": [ "", [ "arn:", { Ref: "AWS::Partition" }, ":iam::aws:policy/asdf" ] ] }
+      ]
+    }));
+
     test.done();
   }
 };