What it is: The rules AWS uses to decide whether a request is allowed.

What it’s for: Predict and troubleshoot access problems.

Decision rules (high-level):

• Default is implicit deny (không ghi Allow thì coi như không được).
• If there is any explicit deny, the request is denied.
• Otherwise, if there is at least one allow, the request is allowed.

Common exam cues:

• “why is access denied even though policy allows?” → likely an explicit deny somewhere.
• “no allow exists” → implicit deny.

Hard words:

• *implicit* /ɪmˈplɪsɪt/: ngầm định
• *evaluate* /ɪˈvæljueɪt/: đánh giá/ra quyết định