====== Policy Evaluation (Allow/Deny logic) ======

**What it is:** The rules AWS uses to decide whether a request is allowed.

**What it’s for:** Predict and troubleshoot access problems.

**Decision rules (high-level):**
  * Default is **implicit deny** (không ghi Allow thì coi như không được).
  * If there is any **explicit deny**, the request is denied.
  * Otherwise, if there is at least one **allow**, the request is allowed.

**Common exam cues:**
  * “why is access denied even though policy allows?” → likely an explicit deny somewhere.
  * “no allow exists” → implicit deny.

**Hard words:**
  * *implicit* /ɪmˈplɪsɪt/: ngầm định
  * *evaluate* /ɪˈvæljueɪt/: đánh giá/ra quyết định