Managing access using policies - AWS IoT Events
Identity-based policiesOther policy typesMultiple policy types

End of support notice: On May 20, 2026, AWS will end support for AWS IoT Events. After May 20, 2026, you will no longer be able to access the AWS IoT Events console or AWS IoT Events resources. For more information, see AWS IoT Events end of support.

Managing access using policies

You control access in AWS by creating policies and attaching them to AWS identities or resources. A policy defines permissions when associated with an identity or resource. AWS evaluates these policies when a principal makes a request. Most policies are stored in AWS as JSON documents. For more information about JSON policy documents, see Overview of JSON policies in the IAM User Guide.

Using policies, administrators specify who has access to what by defining which principal can perform actions on what resources, and under what conditions.

By default, users and roles have no permissions. An IAM administrator creates IAM policies and adds them to roles, which users can then assume. IAM policies define permissions regardless of the method used to perform the operation.

Identity-based policies

Identity-based policies are JSON permissions policy documents that you attach to an identity (user, group, or role). These policies control what actions identities can perform, on which resources, and under what conditions. To learn how to create an identity-based policy, see Define custom IAM permissions with customer managed policies in the IAM User Guide.

Identity-based policies can be inline policies (embedded directly into a single identity) or managed policies (standalone policies attached to multiple identities). To learn how to choose between managed and inline policies, see Choose between managed policies and inline policies in the IAM User Guide.

Other policy types

AWS supports additional policy types that can set the maximum permissions granted by more common policy types:

  • Permissions boundaries – Set the maximum permissions that an identity-based policy can grant to an IAM entity. For more information, see Permissions boundaries for IAM entities in the IAM User Guide.

  • Service control policies (SCPs) – Specify the maximum permissions for an organization or organizational unit in AWS Organizations. For more information, see Service control policies in the AWS Organizations User Guide.

  • Resource control policies (RCPs) – Set the maximum available permissions for resources in your accounts. For more information, see Resource control policies (RCPs) in the AWS Organizations User Guide.

  • Session policies – Advanced policies passed as a parameter when creating a temporary session for a role or federated user. For more information, see Session policies in the IAM User Guide.

Multiple policy types

When multiple types of policies apply to a request, the resulting permissions are more complicated to understand. To learn how AWS determines whether to allow a request when multiple policy types are involved, see Policy evaluation logic in the IAM User Guide.