What it is: A policy attached directly to a resource (e.g., S3 bucket policy, KMS key policy).

What it’s for:

• Grant permissions to principals (users/roles/accounts) on that resource.
• Enable cross-account access without needing identity policy in the resource owner account (often combined).

Key ideas:

• Typical examples:
  • S3 Bucket Policy
  • KMS Key Policy
• You must specify Principal in resource-based policies.

Hard words:

• *principal* /ˈprɪnsəpəl/: chủ thể (ai được phép)