Policy is an object which is associated with a resource that defines the permissions. AWS evaluate these policies when user makes a request. Permissions in the policy determine whether to allow or to deny an action. Policies are stored in the form of a JSON documents.
AWS supports six types of policies:
- Identity-based policies
- Resource-based policies
- Permissions boundaries
- Organizations SCPs
- Access Control Lists
- Session policies
Identity-based policies
Identity-based policies are the permissions stored in the form of JSON format. This policy can be attached to an identity user, group of users or role. It determines the actions that the users can perform, on which resources, and under what conditions.
Identity-based policies are further classified into two categories:
Managed Policies: Managed Policies are the identity-based policies which can be attached to multiple users, groups or roles. There are two types of managed policies:
AWS Managed Policies
AWS Managed Policies are the policies created and managed by AWS. If you are using the policies first time, then we recommend you to use AWS Managed Policies.
Custom Managed Policies
Custom Managed Policies are the identity-based policies created by user. It provides more precise control over the policies than AWS Managed Policies.
Inline Policies
Inline Policies are the policies created and managed by user. These policies are encapsulated directly into a single user, group or a role.
Resource-Based Policies
Resource-based policies are the policies which are attached to the resource such as S3 bucket. Resource-based policies define the actions that can be performed on the resource and under what condition, these policies can be applied.
Permissions boundaries
Permissions boundaries are the maximum permissions that identity-based policy can grant to the entity.
Service Control Policies (SCPs)
Service Control Policies are the policies defined in a JSON format that specify the maximum permissions for an organization. If you enable all the features in an Organization, then you can apply Service Control Policies to any or all of your AWS accounts. SCP can limit the permission on entities in member accounts as well as AWS root user account.
Access Control Lists (ACLs)
ACL defines the control that which principals in another AWS account can access the resource. ACLs cannot be used to control the access of a principal in a different AWS account. It is the only policy type which does not have the JSON policy document format.