All IAM policies follow the structure detailed in the previous lessons, but how a policy behaves is determined by what it is attached to. We can attach policies to 5 entities, and they are named accordingly:

Identity-based policies: Attached to an IAM user, group, or role
Resource-based policies: Attached to AWS resources
Service-control policies: Attached to accounts
Session policy: Attached to assume role sessions
Permissions boundary: Attached to identities as a boundary

Each policy type behaves differently when IAM determines access. Let’s see how they work.

Identity-based policies

One of the most important policy types, these are attached to IAM users, groups, and roles. An identity-based policy defines what the identity can or cannot do. As it is attached to a Principal, the Principal element is missing from these policies.

For example, this policy allows read access to a specific S3 object in a bucket:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:GetObject"
            ],
            "Resource": "arn:aws:s3:::<bucket>/text.txt"
        }
    ]
}

These policies can also restrict what identity can do. This is done using a Deny policy:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Deny",
            "Action": [
                "s3:GetObject"
            ],
            "Resource": "arn:aws:s3:::<bucket>/*"
        }
    ]
}

The above policy forbids the user from reading objects from a specific S3 ...

Introduction

Access Control Basics

User Management using IAM

IAM Policies

Request Evaluation Flow and Examples

Role Management Using Identity and Access Management (IAM)

How to Secure an AWS Account

Conclusion

Appendix

AWS IAM Policy types: identity-based and resource-based

Identity-based policies