Authorization
Unlock the complete study guide + 1,040 practice questions across 16 full exams.
Bundled into the existing AWS Certified Security - Specialty premium course — no separate purchase.
Included in this chapter:
- The policy evaluation chain
- Policy types and how they combine
- ABAC versus RBAC strategies
- Cross-account, on-premises, and application authZ
- Analyzing and correcting authorization
How each policy type affects the authorization decision
| Policy type | Who it applies to | Combine rule | Can it grant? |
|---|---|---|---|
| Identity-based policy | The principal it is attached to | Union with resource-based | Yes |
| Resource-based policy | The resource it is attached to | Union with identity-based | Yes |
| Permission boundary | The IAM user or role it caps | Intersection with identity policy | No, caps only |
| Session policy | A single assumed-role or federated session | Intersection at session scope | No, caps only |
| Service control policy (SCP) | Principals in member accounts | Intersection at Organizations layer | No, caps only |
| Resource control policy (RCP) | Resources in member accounts | Intersection at Organizations layer | No, caps only |
Decision tree
Cheat sheet
Unlock with Premium — includes all practice exams and the complete study guide.
Also tested in
- CLF-C02 AWS Certified Cloud Practitioner
- DEA-C01 AWS Certified Data Engineer - Associate
- DVA-C02 AWS Certified Developer - Associate
- SAA-C03 AWS Certified Solutions Architect – Associate
- SAP-C02 AWS Certified Solutions Architect - Professional
- CISSP Certified Information Systems Security Professional
References
- IAM policy evaluation logic
- How AWS enforcement code logic evaluates requests to allow or deny access
- Permissions boundaries for IAM entities
- Define permissions based on attributes with ABAC authorization
- Cross-account policy evaluation logic
- What is AWS IAM Roles Anywhere?
- What is Amazon Verified Permissions?
- Using AWS IAM Access Analyzer
- Testing IAM policies with the IAM policy simulator