IAM Policy Logic Infographic
AWS Security Architecture

IAM POLICY LOGIC

Understanding the intersection of Identity, Resources, and Guardrails in the Cloud.

01. The Policy Ingredients

Identity-Based

Attached to Users, Groups, or Roles. Defines what an identity can do across the environment.

  • Managed or Inline
  • Grants permissions

Resource-Based

Attached to Resources (S3, KMS, SQS). Defines who can access that specific resource.

  • Cross-account access
  • Principal is specified in policy

Permission Boundary

An advanced feature that sets the Maximum Permissions an identity can ever have.

  • Does NOT grant access
  • Limits potential blast radius

02. The Evaluation Logic

Allowed By
Identity Policy
Allowed By
Resource Policy
Limited By
Permission Boundary
Final Result
Effective Permissions

Critical Rule of Thumb

If an Explicit Deny exists in any of these policies, the request is always denied, regardless of any allows. This is the most powerful rule in IAM evaluation.

Key Takeaways

Identity-based policies are the most common way to grant access.

Resource-based policies allow access to “Anonymous” or “Cross-Account” principals.

Boundaries are used to delegate admin tasks safely without escalating privileges.

Cloud Architecture Series • 2023 Visual Guide

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top