Evaluation logic starts with 'Deny'. There is a [https://docs.aws.amazon.com/images/IAM/latest/UserGuide/images/PolicyEvaluationHorizontal111621.png flow diagram] at the [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_evaluation-logic.html AWS IAM UserGuide policies evaluation logic docs]
Steps for authorizing Requests to AWS - which may come from the Console, the CLI, or via an API
# Authentication
# Processing the '''request context''' of
## Actions
## Resources
## Principal
## Environment data
## Resource data
# Evaluating all policies within the account (both identity-based and resource-based)
# Determining whether a request is allowed or denied
Types of Policies
* Identity-based policies - attached to Users, Groups, or Roles
* Resource-based policies - attached to resource; define permissions for a principal accessing the resource.
* IAM Permission boundaries - set the maximum permissions an identity-based policy can grant an IAM entity
* AWS Organizations service control policies (SCP) - specify the maximum permissions for an organization or OU
* Session policies - used with the AssumeRole* API actions
The '''effective''' permissions are the superset when combining an Identity-based policy with a Resource-based policy. But, are only the '''intersection''' when combining with Permissions boundary or Organizations SCP<ref>https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_evaluation-logic.html#policy-eval-basics-id-rdp</ref>
28. IAM Policy Structure