1The Anatomy of a Policy
IAM policies are JSON documents that explicitly list permissions. The acronym PARC (Principal, Action, Resource, Condition) is helpful. Note that identity-based policies don't explicitly require the 'Principal' element because the principal is the user or role it's attached to.
2The Evaluation Logic
When AWS evaluates a request, it starts with a default Deny. It then checks all policies. If there is an explicit Deny, the request is denied immediately. If there is no explicit Deny, but an Allow exists, the request is allowed.
