IAM Policy is a JSON document that defines one or more permissions.
Policy is used by an IAM principal such as a human being or application or an EC2 instance to access an AWS service such as an S3 bucket.
Two types of policies are available to choose and assign to IAM principals based on who manages these policies
Customer managed (Created by you)
AWS managed (predefined and managed by AWS)
Two types of policies based who uses these policies
User based policies are used to assign to an IAM principal such as yourself or an EC2 instance.
They contain one or more permissions
Resource based policies are assigned to AWS resources such as a queue or a S3 bucket.
They contain permissions. These permissions contain all normal elements (ACERS) along with one extra element “Principal” which indicates who is the permission granted to.
A policy contains one or more permissions. A permission contains 5 components. You can remember these components of a Permission as acronym ACERS – Action-Condition-Effect-Resource-Service (as in the acer laptop).
The five components: 1)Action (Eg. Read/Write/List), 2) Condition (If ip is x.y.z or time is less than T etc.), 3) Effect (ALLOW/DENY), 4) Resource (/MyFiles/MyResume.doc), 5) Service (Eg. MyBucket on S3). Of these five only the Condition is optional.
You can also remember a Permission as a Do loop with a while. A DO loop contains