The access management portion of AWS Identity and Access Management (IAM helps you to define what a user or other entity is allowed to do in an account, often referred to as authorization.
Permissions are granted through policies that are created and then attached to users, groups, or roles.
Policies and Users
By default, IAM users can't access anything in their accounts.
You grant permission to a user by creating a policy, which is a document that defines the effect, actions, resources, and optional conditions.
Any actions or resources that are not explicitly allowed are denied by default.
IAM Multiple Policies
Users or Groups can have multiple policies attached to them that grant different permission
In case of multiple policies attached to a user (or a group)
The user's permissions are calculated based on the combination of policies
Federated Users and Roles
Federated user doesn't have permanent identities in their AWS account the way that IAM users do.
To assign permissions to federated users you can create an entity referred to as a 'role' and define permission for the role.
When a federated User Sign-in to AWS the user is associated with the role and is granted the permission that is defined in the role.
Resource-based policies
In some cases (like the s3 bucket), you can attach a policy to a resource in addition to attaching it to a group or user. This is called a Resource Based policy.
A resource-based policy contains slightly different information than a user-based policy. In a resource-based policy, you specify what actions are permitted and what resource is affected.
You also explicitly list who is allowed access to the resource (a principal)
Resource-based policies include a principal element that specifies who is granted the permission