Anatomy of an IAM Policy Document

In AWS, permissions are expressed as policies: JSON documents that grant or deny access to actions on resources. Reading a policy fluently is a core SCS-C02 skill, because almost every access question comes down to what a policy allows, denies, or fails to cover. This lesson dissects the structure piece by piece.

A policy contains a Version field (use "2012-10-17") and a Statement element, which is one statement or an array of them. Each statement is an independent rule. AWS evaluates every statement, so a single document can both allow some actions and explicitly deny others.