====== IAM Policy ======

**What it is:** A JSON document that defines permissions.

**What it’s for:**
  * Control access by specifying **Actions**, **Resources**, and optional **Conditions**.

**Core structure (conceptual):**
  * **Effect**: Allow or Deny
  * **Action**: what API actions are permitted (e.g., s3:GetObject)
  * **Resource**: which resources (e.g., a bucket, a table)
  * **Condition**: optional rules (IP, MFA, tags, time)

**Key ideas:**
  * Explicit **Deny** always wins.
  * Policies can be:
    * **Identity-based** (attached to user/group/role)
    * **Resource-based** (attached to the resource, e.g., S3 bucket policy)

**Exam cues:**
  * “allow read-only access to specific bucket prefix” → policy with scoped resource.
  * “block everyone except specific role” → explicit deny / restrictive bucket policy.

**Hard words:**
  * *effect* /ɪˈfekt/: hiệu lực (Allow/Deny)
  * *condition* /kənˈdɪʃn/: điều kiện
  * *explicit* /ɪkˈsplɪsɪt/: tường minh (ghi rõ)

**Child pages:**
  * [[aws:security:iam:identity-based-policy|Identity-based Policy]]
  * [[aws:security:iam:resource-based-policy|Resource-based Policy]]
  * [[aws:security:iam:policy-evaluation|Policy Evaluation]]