IAM Policy

What it is: A JSON document that defines permissions.

What it’s for:

• Control access by specifying Actions, Resources, and optional Conditions.

Core structure (conceptual):

• Effect: Allow or Deny
• Action: what API actions are permitted (e.g., s3:GetObject)
• Resource: which resources (e.g., a bucket, a table)
• Condition: optional rules (IP, MFA, tags, time)

Key ideas:

• Explicit Deny always wins.
• Policies can be:
  • Identity-based (attached to user/group/role)
  • Resource-based (attached to the resource, e.g., S3 bucket policy)

Exam cues:

• “allow read-only access to specific bucket prefix” → policy with scoped resource.
• “block everyone except specific role” → explicit deny / restrictive bucket policy.

Hard words:

• *effect* /ɪˈfekt/: hiệu lực (Allow/Deny)
• *condition* /kənˈdɪʃn/: điều kiện
• *explicit* /ɪkˈsplɪsɪt/: tường minh (ghi rõ)

Child pages:

• Identity-based Policy
• Resource-based Policy
• Policy Evaluation