IAM policies are JSON documents with Effect, Action, Resource, and optional Condition keys. AWS evaluates all applicable policies to allow or deny a request.
Policy structure
{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Action": ["s3:ListBucket", "s3:GetObject"],
"Resource": [
"arn:aws:s3:::my-learning-bucket",
"arn:aws:s3:::my-learning-bucket/*"
]
}]
}Deny always wins over Allow when both apply.
Managed vs inline policies
- AWS managed — maintained by AWS (e.g.
AmazonS3ReadOnlyAccess) - Customer managed — your reusable custom policies
- Inline — embedded on one user/group/role; harder to reuse
Simulate policy (Console)
IAM → Policies → select policy → Policy simulator tests whether an action is allowed. Use this before attaching broad policies in production.
Practice: Perform IAM steps in the IAM Console or with the AWS CLI in a sandbox account only.
Policy evaluation
Explicit deny blocks access. Missing allow means implicit deny. Use conditions (IP, MFA present, source VPC) to tighten policies.
Important interview questions and answers
- Q: What beats Allow?
A: An explicit Deny in any matching policy statement. - Q: What is an ARN?
A: Amazon Resource Name—unique identifier likearn:aws:s3:::bucket/key.
Self-check
- What four keys appear in a typical IAM policy statement?
- What is the difference between managed and inline policies?
Tip: Use IAM Policy Simulator before attaching broad managed policies in shared accounts.
Interview prep
- Deny vs Allow?
Explicit Deny overrides any Allow in evaluated policies.
- ARN?
Amazon Resource Name uniquely identifies AWS resources in policies.