AWS Identity and Access Management (IAM) policies are how you say who can do what in your AWS account. Every policy is a JSON document, and AWS evaluates it every time a request is made.
The mental model
A policy is a list of statements. Each statement answers three questions:
- Effect — Allow or Deny
- Action — which API operations (like
s3:GetObject) - Resource — which ARNs the actions apply to
When a principal (a user or role) makes a request, AWS gathers every policy that applies and evaluates them together.
How AWS decides
The evaluation logic is simple to remember:
- Start from an implicit deny.
- If any matching statement says Allow, the action is allowed…
- …unless any matching statement says Deny, which always wins.
So an explicit Deny beats every Allow. This is why a single deny statement is a powerful guardrail.
A minimal example
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::my-bucket/*"
}
]
}
This grants read access to objects in one bucket — nothing more.
Where to go next
The hardest part of IAM is not the syntax, it is choosing the right actions and resources. Open the read-only policy template in the workspace and ask the AI to explain each statement, then tighten it to your own bucket names.