Types of IAM Policies

Types of IAM Policies 1. Identity-based policies Attached directly to IAM identities (users, groups, or roles). Define what actions the identity can perform on which resources. Examples: AWS managed policies → Prebuilt by AWS (e.g., AmazonS3ReadOnlyAccess). Customer managed policies → Created and managed by you in your account. Inline policies → Embedded directly in a user/group/role (not reusable). 2. Resource-based policies Attached directly to resources (not to identities). Define who can access the resource and what they can do. Common examples: S3 bucket policies SNS topic policies SQS queue policies KMS key policies 3. Permissions boundaries A special type of policy that limits the maximum permissions an identity (user or role) can have. Example: An IAM role has an attached policy allowing s3:*, but a permission boundary only allows s3:GetObject. The role can only perform GetObject. 4. Service control policies (SCPs) (AWS Organizations only) Apply at the organization or OU (organizational unit) level. Define what actions accounts within the org can or cannot do. Do not grant permissions — only restrict. 5. Session policies Policies that are passed when you assume a role or federate a user. Only apply to the temporary session. Example: Using sts:AssumeRole and passing a restrictive session policy. ✅ In short: Identity-based (Managed: AWS or customer, Inline) Resource-based Permissions boundaries Service Control Policies (SCPs) Session policies