Identity-Based versus Resource-Based Policies

Permissions in AWS come from policies attached in two places: to an identity (user, group, or role) or to a resource (like an S3 bucket or KMS key). Knowing which type applies, and how they combine, is essential for the exam because cross-account access depends entirely on this distinction.

An identity-based policy is attached to an IAM principal and defines what that principal can do. It has no Principal element because the principal is whoever it is attached to. These can be AWS-managed, customer-managed, or inline policies, and they are the most common way to grant permissions.