====== Resource-based Policy ======

**What it is:** A policy attached directly to a resource (e.g., S3 bucket policy, KMS key policy).

**What it’s for:**
  * Grant permissions to **principals** (users/roles/accounts) on that resource.
  * Enable cross-account access without needing identity policy in the resource owner account (often combined).

**Key ideas:**
  * Typical examples:
    * S3 Bucket Policy
    * KMS Key Policy
  * You must specify **Principal** in resource-based policies.

**Hard words:**
  * *principal* /ˈprɪnsəpəl/: chủ thể (ai được phép)