What Is an AWS IAM Policy?

4 min·Jul 15, 2026
AI Summary

An IAM policy is a JSON document that says who can do what to which AWS resources. AWS reads every matching policy and allows an action only if something explicitly allows it and nothing explicitly denies it.

AWS IAM Read-only Policy
A least-privilege IAM policy granting read-only access to S3 and CloudWatch logs — a safe starting point for auditors, dashboards and monitoring roles.
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "ReadS3Objects",
      "Effect": "Allow",
      "Action": [
        "s3:GetObject",
        "s3:ListBucket"
      ],
      "Resource": [
        "arn:aws:s3:::my-app-data",
        "arn:aws:s3:::my-app-data/*"
      ]
    },
    {
      "Sid": "ReadCloudWatchLogs",
      "Effect": "Allow",
      "Action": [
        "logs:GetLogEvents",
        "logs:DescribeLogGroups",
        "logs:DescribeLogStreams"
      ],
      "Resource": "arn:aws:logs:*:*:log-group:/aws/my-app/*"
    }
  ]
}

AWS Identity and Access Management (IAM) policies are how you say who can do what in your AWS account. Every policy is a JSON document, and AWS evaluates it every time a request is made.

The mental model

A policy is a list of statements. Each statement answers three questions:

  • Effect — Allow or Deny
  • Action — which API operations (like s3:GetObject)
  • Resource — which ARNs the actions apply to

When a principal (a user or role) makes a request, AWS gathers every policy that applies and evaluates them together.

How AWS decides

The evaluation logic is simple to remember:

  1. Start from an implicit deny.
  2. If any matching statement says Allow, the action is allowed…
  3. …unless any matching statement says Deny, which always wins.

So an explicit Deny beats every Allow. This is why a single deny statement is a powerful guardrail.

A minimal example

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "s3:GetObject", "Resource": "arn:aws:s3:::my-bucket/*" } ] }

This grants read access to objects in one bucket — nothing more.

Where to go next

The hardest part of IAM is not the syntax, it is choosing the right actions and resources. Open the read-only policy template in the workspace and ask the AI to explain each statement, then tighten it to your own bucket names.

FAQ

Where do IAM policies get attached?

To identities (users, groups, roles) as identity-based policies, or to resources (like an S3 bucket) as resource-based policies.

Does an empty policy deny everything?

AWS denies by default. An action is only allowed when a policy explicitly allows it and no policy explicitly denies it.