====== Identity-based Policy ======

**What it is:** A policy attached to an IAM user, group, or role.

**What it’s for:**
  * Grant that identity permissions to call AWS APIs.

**Key ideas:**
  * Most common in AWS.
  * Best practice: attach to **roles** for services.

**Hard words:**
  * *attach* /əˈtætʃ/: gắn (policy vào identity)