Using access policies to grant permissions in AWS

You manage access in AWS by creating identity-based policies and attaching them to AWS Identity and Access Management (IAM) principals, such as roles or users, and by creating resource-based policies and attaching them to AWS resources. AWS evaluates these policies whenever a request is made. Permissions in the policies determine whether the request is allowed or denied.

To understand how to configure least-privilege access in policies, you need to understand the different types of policies, the elements and structure of a policy, and how policies are evaluated. This guide only focuses on identity-based policies and resource-based policies. However, AWS provides other types of policies, such as service control policies (SCPs), permissions boundaries, and session policies. Each type of policy plays a role in implementing least-privilege permissions in your AWS accounts. For more information, see Policies and permissions and Apply least-privilege permissions in the IAM documentation.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Introduction

Permissions to use CloudFormation